Security and NetBSD

The NetBSD Project adopts the same approach to security as it does to the rest of the system: Solutions and not hacks. Security issues in NetBSD are handled by the NetBSD security officer and the NetBSD security alert team. As well as investigating, documenting and updating code in response to newly reported security issues, the team also performs periodic code audits to search for and remove potential security problems.

NetBSD has integrated Kerberos 5 (Heimdal), SSH (OpenSSH) and full support for IPsec for both IPv4 and IPv6. In addition, all services default to their most secure settings, and no services are enabled by default for new installations.

Security Advisories

When serious security problems in NetBSD are discovered and corrected, we issue a security advisory, describing the problem and containing a pointer to the fix. These are announced to our netbsd-announce mailing list and our security-announce mailing list as well as to various other mailing lists and websites. In addition, they are archived on this site as well as provided as an RSS feed.

Recent Advisories by NetBSD releases:

See the release archive for a complete list.

Recent Advisories by Advisory Number:

NetBSD-SA2012-004 BIND resolver DoS when using DNSSEC Validation
NetBSD-SA2012-003 Intel processors sysret to non-canonical address behaviour
NetBSD-SA2012-002 OpenSSL Invalid TLS/DTLS record attack
NetBSD-SA2012-001 OpenSSL buffer overflow in DER read function
NetBSD-SA2011-009 BIND resolver DoS
NetBSD-SA2011-008 OpenPAM privilege escalation
NetBSD-SA2011-007 LZW decoding loop on manipulated compressed files
NetBSD-SA2011-006 BIND DoS via packet with rrtype zero
NetBSD-SA2011-005 ISC dhclient does not strip shell meta-characters in
NetBSD-SA2011-004 Kernel stack overflow via nested IPCOMP packet
NetBSD-SA2011-003 Exhausting kernel memory from user controlled value
NetBSD-SA2011-002 OpenSSL TLS extension parsing race condition.
NetBSD-SA2011-001 BIND DoS due to improper handling of RRSIG records
NetBSD-SA2010-013 UDP6 Option Parsing local Denial of Service
NetBSD-SA2010-012 OpenSSL TLS extension parsing race condition.
NetBSD-SA2010-011 OpenSSL Double Free Arbitrary Code Execution
NetBSD-SA2010-010 Buffer Length Handling Errors in netsmb
NetBSD-SA2010-009 Privilege Handling Errors In larn
NetBSD-SA2010-008 sftp(1)/ftp(1)/glob(3) related resource exhaustion
NetBSD-SA2010-007 Integer overflow in libbz2 decompression code
NetBSD-SA2010-006 Buffer length checking errors in CODA
NetBSD-SA2010-005 NTP server Denial of Service vulnerability
NetBSD-SA2010-004 amd64 per-page No-execute (NX) bit disabled
NetBSD-SA2010-003 azalia(4)/hdaudio(4) negative mixer index panic
NetBSD-SA2010-002 OpenSSL TLS renegotiation man in the middle vulnerability
NetBSD-SA2010-001 File system module autoloading Denial of Service attack
NetBSD-SA2009-013 BIND named dynamic update Denial of Service vulnerability
NetBSD-SA2009-012 SHA2 implementation potential buffer overflow
NetBSD-SA2009-011 ISC DHCP server Denial of Service vulnerability
NetBSD-SA2009-010 ISC dhclient subnet-mask flag stack overflow
NetBSD-SA2009-009 OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities
NetBSD-SA2009-008 OpenSSL ASN1 parsing denial of service and CMS signature verification weakness
NetBSD-SA2009-007 Buffer overflows in hack(6)
NetBSD-SA2009-006 Buffer overflows in ntp
NetBSD-SA2009-005 Plaintext Recovery Attack Against SSH
NetBSD-SA2009-004 NetBSD OpenPAM passwd(1) changing weakness
NetBSD-SA2009-003 proplib crashes on reading bad XML data
NetBSD-SA2009-002 tcpdump multiple denial of service and arbitrary code execution issues
NetBSD-SA2009-001 PF firewall remote Denial Of Service attack
NetBSD-SA2008-015 ICMPv6 Packet Too Big messages
NetBSD-SA2008-014 Cross-site request forgery in ftpd(8)
NetBSD-SA2008-013 IPv6 Neighbor Discovery Protocol
NetBSD-SA2008-012 Denial of service issues in racoon(8)

See the advisory archive for a complete list.

Advisories for NetBSD-current

In some cases a security issue will be discovered in NetBSD-current and then be resolved soon after. These issues are often short lived any do not impact any NetBSD releases. In these cases we don't release patches or advisories specifically for NetBSD-current, but instead recommend that you update to a version containing the fixes. See the advisories above for the fix dates. If a security issue is identified that just impacts NetBSD-current the NetBSD security officer team will send an email to the current-users mailing list detailing the issue and what updates are necessary. We recommend that all users running NetBSD-current subscribe to the current-users mailing list so that they are aware of these issues. Users tracking NetBSD-current should be upgrading their systems often to gain new features as well as resolving known issues.

Security Contacts

The NetBSD Project has two security related contact points:

The tech-security mailing list is an open forum for discussing issues related to NetBSD security.
You can directly contact the NetBSD Project about security issues by sending email to <security-alert@NetBSD.org>.

Reporting a security problem

To report a security problem in NetBSD, either contact the NetBSD <security-alert@NetBSD.org> team or send a standard NetBSD problem report, using the send-pr form or the send-pr(1) program on your NetBSD system.

Sensitive information should be encrypted using PGP, using the NetBSD security-officers' PGP key.

Security Patches

All published NetBSD security patches are available on the NetBSD Project's FTP server in the security/patches/ directory.

NetBSD Packages Collection (pkgsrc)

The NetBSD Packages Collection provides easy source or binary installation of a large number of third-party applications. Users should remember that there can often be bugs in third-party software, and some of these bugs can leave a machine vulnerable to exploitation. To cope with this, NetBSD provides an easy way to audit your installed packages for known vulnerabilities.

Checking for vulnerabilities in installed packages

The NetBSD pkgsrc Security Team and package maintainers keep a list of known security vulnerabilities in packages which are (or have been) included in pkgsrc. The list is available from the NetBSD FTP site at:

http://ftp.NetBSD.org/pub/NetBSD/packages/vulns/pkg-vulnerabilities

Through audit-packages, this list can be downloaded automatically, and a security audit of all packages installed on a system can take place.

There are two components to audit-packages. The first component, download-vulnerability-list, is for downloading the list of vulnerabilities from the NetBSD FTP site. The second component, audit-packages, checks to see if any of your installed packages are vulnerable. If a package is vulnerable, you will see output similar to the following:

Package samba-2.0.9 has a local-root-shell vulnerability, see http://www.samba.org/samba/whatsnew/macroexploit.html

Users can set up audit-packages to download the pkg-vulnerabilities file daily, and include a package audit in the daily security script. Details on this are located in the MESSAGE file for pkg_install.

Reporting a pkgsrc security problem

If you believe you have found a security issue for a software package in pkgsrc that is not detected by audit-packages then contact the pkgsrc Security Team.

Migrating from security/audit-packages to pkgtools/pkg_install

In April 2007 the functionality provided by the security/audit-packages package was re-written in C and merged into the pkg_install package. This brought a number of improvements in terms of both speed and functionality when compared to the old security/audit-packages package. In January of 2008 the security/audit-packages package was removed from the pkgsrc CVS tree and the required version of the pkg_install package was increased to pkg_install-20071224 so that the functionality that was provided by security/audit-packages was adequately replaced. The migration process should be easy for most users and simply involve removing the old package (i.e. pkg_delete audit-packages) and then updating pkg_install, you must follow this process as pkgtools/pkg_install and security/audit-packages install conflicting files. In addition to this any scripts (e.g. crontab(5) files, security.local etc.) that point to the old binaries (i.e. audit-packages and download-vulnerability-list) must also be updated.

If you cannot migrate to pkg_install-20071224 immediately and need to continue using security/audit-packages to look for package vulnerabilities the pkgsrc Security Team will continue to keep the pkg-vulnerabilities database up to date until at least the pkgsrc-2008Q1 branch has been cut. When support for security/audit-packages is fully removed we will update the old pkg-vulnerabilities database to indicate that it will no longer be updated. At this point you should upgrade to pkg_install>=20071224 in order to receive further updates to the pkg-vulnerabilities database.

For any questions or problems with this process please contact either the pkgsrc Security Team or appropriate NetBSD mailing list (e.g. pkgsrc-users or tech-pkg).

Security Resources

A number of security advisories and other security resources are available on-line at these sites: