Statement on backdoor in xz library


March 30, 2024 posted by Nia Alarie

Recently, a backdoor was discovered in the xz compression library. XZ/liblzma are included as part of NetBSD and used by the project for distribution of new releases and packages.

The version of xz shipped in all stable (and unstable) versions of NetBSD predates any code changes by the author of the backdoor. NetBSD is therefore safe and unaffected by the recent discoveries.

[Read More] [1 comment]

 

Network Security Audit


May 28, 2018 posted by Maxime Villard

Security audit of NetBSD's network stack

[Read More] [6 comments]

 

Recent Security Affairs


February 05, 2018 posted by Maxime Villard

An update on the recent security affairs and how they are, or were, handled on NetBSD[Read More] [1 comment]

 

The strongest KASLR, ever?


November 20, 2017 posted by Maxime Villard

latest developments in the Kernel ASLR district[Read More] [3 comments]

 

Kernel ASLR on amd64


October 12, 2017 posted by Maxime Villard

Recently, I completed a Kernel ASLR implementation for NetBSD-amd64, making NetBSD the first BSD system to support such a feature. Simply said, KASLR is a feature that randomizes the location of the kernel in memory, making it harder to exploit several classes of vulnerabilities, both locally (privilege escalations) and remotely (remote code executions).[Read More] [2 comments]

 

New Security Advisories: NetBSD-SA2011-002 OpenSSL TLS race condition and NetBSD-SA2011-003 kernel memory exhaustion


March 08, 2011 posted by Tonnerre Lombard

Two new NetBSD Security Advisories have been published affecting OpenSSL and the kernel.

[Read More] [0 comments]

 

New Security Advisories: NetBSD-SA2010-012 OpenSSL TLS race condition and NetBSD-SA2010-013 UDP6 Option Local DoS


November 29, 2010 posted by Tonnerre Lombard

Two new security advisories were published:

You can find more information about them on the Security and NetBSD page.

[0 comments]

 

New Security Advisory: NetBSD-SA2010-008 sftp(1)/ftp(1)/glob(3) related resource exhaustion


October 07, 2010 posted by Tonnerre Lombard

A new NetBSD security advisory has been published affecting the glob library and the SSH (sftp) and FTP daemons.

[Read More] [0 comments]

 

New Security Advisory: NetBSD-SA2010-007 Integer overflow in libbz2 decompression code


September 29, 2010 posted by Tonnerre Lombard

A new NetBSD security advisory has been published affecting the bzip2(1) program, the libbz2 library and the rescue system.

[Read More] [0 comments]

 

New Security Advisory: NetBSD-SA2010-003 azalia(4)/hdaudio(4) negative mixer index panic


February 05, 2010 posted by Tonnerre Lombard

A new NetBSD security advisory has been published affecting the azalia(4) and hdaudio(4) drivers.

[Read More] [0 comments]

 

New package security checks


January 19, 2010 posted by Julio Merino

The pkgsrc tools have had, for a long time, the ability to validate the installed packages against a database of known vulnerabilities. We have encouraged administrators to add the proper commands to their crontabs to refresh the database and to run the package auditing command. But... the package tools are shipped with the system, and we ship a crontab for root... we could do better then, could we?

As of now, the /etc/daily script, which is part of the default root crontab, will refresh the vulnerabilities database. And the /etc/security script, executed by /etc/daily, will run the vulnerability and integrity checks provided by pkg_admin. The result is that you will get all the package auditing checks out of the box as soon as you start installing packages on a NetBSD system!

All of these settings are, of course, tunable through /etc/daily.conf and /etc/security.conf, and they will only run if they detect any installed packages.

[3 comments]

 

New Security Advisories: NetBSD-SA2010-001 (Module autoloading) and NetBSD-SA2010-002 (OpenSSL)


January 13, 2010 posted by Tonnerre Lombard

Two new security advisories have been released, affecting the NetBSD kernel file system module autoloader and OpenSSL.

[Read More] [0 comments]