DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th August 2016
betweendayandnight betweendayandnight is offline
friendly
 
Join Date: Jul 2015
Posts: 67
Default Security vulnerability in TCP stack implementation

On August 6 and 10, 2016, National Vulnerability Database issued a security alert on the TCP stack implementation that it says affects the Linux kernel.

For further information on the security vulnerability, please click the following URL:

https://web.nvd.nist.gov/view/vuln/d...=CVE-2016-5696

Could the experts here confirm that OpenBSD versions 5.9 and 5.10 are NOT compromised by it? If they are, when can the community expect a fix for it?

Last edited by betweendayandnight; 12th August 2016 at 09:48 AM. Reason: provide additional information
Reply With Quote
  #2   (View Single Post)  
Old 12th August 2016
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,786
Default

  1. The best place to ask questions of the Project would be through their mailing lists. This is a third party forum, and we're primarily users here, not experts. I may try to help answer questions, but I'm in the former category, not the latter.
  2. The vulnerability you cite references only the Linux kernel. The specific Linux kernel source code module referenced is net/ipv4/tcp_input.c, which is both Linux-specific and has a completely different provenance from the OpenBSD protocol stack's module with a similar name: src/sys/netinet/tcp_input.c. If you look at the two modules, you can see that they are completely different.
  3. The only way to know for certain if there is a similar vulnerability would be to test the exploit.

    I don't have the skills to develop exploit tests myself. I attempted to do so recently for a pair of CVEs affecting one of the ports I maintain, in order to show the upstream project that they were vulnerable and should apply patches. I was unsuccessful in recreating the exploit tests but the upstream project applied the patches anyway. The CVE patches are in the current version of the port; the updated port removes the CVE patches as they are now included in the application. http://marc.info/?l=openbsd-ports&m=146997546125497&w=2

Last edited by jggimi; 12th August 2016 at 11:09 AM. Reason: Added additional info regarding the port, plus a link
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Security vulnerability in sudo allows privilege escalation J65nko News 0 5th March 2013 03:52 PM
Security Security vulnerability in sudo's netmask function patched J65nko News 0 18th May 2012 01:06 AM
Security Security vulnerability in NVIDIA's proprietary Linux drivers fixed J65nko News 0 13th April 2012 01:18 AM
phpMyAdmin updates close security vulnerability J65nko News 0 10th February 2011 03:58 PM
Security vulnerability in SpamAssassin filter module J65nko News 0 17th March 2010 08:05 PM


All times are GMT. The time now is 11:46 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick