derive IP address(es) from the interface (e.g "... from any to fxp0").
This however, creates window for possible attacks from the network.
Implement the solution proposed by YAMAMOTO Takashi:
Add /etc/defaults/pf.boot.conf and load it with the /etc/rc.d/pf_boot
script before starting the network. People who don't like the default
rules can override it with their own /etc/pf.boot.conf.
The default rules have been obtained from OpenBSD.
No objections on: tech-security
Fix vulnerability to a denial-of-service attack which passes a
length-0 crypto op. Check for zero length and return EINVAL, taken from:
http://cvsweb.FreeBSD.org/src/sys/opencrypto/cryptodev.c.diff?r1=1.25&r2=1.26
Original FreeBSD log mesage:
Modified files:
sys/opencrypto cryptodev.c
Log:
Fix bogus check. It was possible to panic the kernel by giving 0 length.
This is actually a local DoS, as every user can use /dev/crypto if there
is crypto hardware in the system and cryptodev.ko is loaded (or compiled
into the kernel).
Reported by: Mike Tancsa <mike@sentex.net>
thanks to Sam Leffler for passing on a heads-up about this issue.
Added a big FIXME because two group lists containing the same entries,
but ordered differently, still compare as unequal. The same holds if one
group list contains an entry twice while the other does not. ok'ed by
christos.
We've handled 16 character logins for quite some time, and we even
have packages that create >8 character accounts. There is no point in
pretending the limit is 8 any more by default.
Discussed (very lightly -- there was little comment) on tech-userlevel
http://www.netbsd.org/People/port-maintainers.html .
Also, clarify some comments, escape a backlash so that the correct
macro for ø is generated, and make sure it's substituted everywhere
in the name.
This script is still not perfect - it will produce incorrect output
the first time that the second portmaster has a hyperlink associated
with his name. For now, though, it generates correct output for
what we've got.
which attach to hypervisor. This allows to use config_found_ia() instead of
config_found(), instead of relying on the order of which device are
written in ioconf.c.
From Quentin Garnier.
for the most part, skeleton files that allow the amd64 INSTALL document
to have all the platform-independent bits, with very little MD stuff.
The MD pieces will have to wait for someone familiar with the platform
to add them.
