Subject: Re: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library
To: Jeremy C. Reed <reed@reedmedia.net>
From: Christos Zoulas <christos@zoulas.com>
List: tech-security
Date: 03/24/2003 16:24:34
On Mar 24, 1:21pm, reed@reedmedia.net ("Jeremy C. Reed") wrote:
-- Subject: Re: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR libr
| On Mon, 24 Mar 2003, Christos Zoulas wrote:
|
| > >Does this mean NetBSD is not vulernable at all to this CERT Advisory
| > >CA-2003-10 Integer overflow in Sun RPC XDR library routines?
| >
| > We were vulnerable, but in a slightly different attack. All fixes have
| > been applied to current, and pulled up to 1.6.x and 1.5.x.
|
| I saw the fixes. (I understand that this is also different from NetBSD
| Security Advisory 2002-011.)
| Does anyone know if there is an official (non-NetBSD) advisory for this?
There is one created:
SA2003-008 faulty length checks in xdrmem_getbytes
and it will be posted when it is ready.
| Any URLs? (I think this is different than CAN-2003-0028.)
|
| Will NetBSD be announcing an advisory?
|
| Thanks,
|
| Jeremy C. Reed
| http://bsd.reedmedia.net/
christos