Date: Mon, 20 Jan 2003 13:39:30 -0800 From: "Crist J. Clark" <crist.clark@attbi.com> To: David Bell <db@borderware.com> Cc: freebsd-security@freebsd.org Subject: Re: Vulnerability Note VU#412115 Message-ID: <20030120213930.GA34751@blossom.cjclark.org> In-Reply-To: <3E2C05F2.7080208@borderware.com> References: <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> <3E2C05F2.7080208@borderware.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 20, 2003 at 09:21:38AM -0500, David Bell wrote: > > Is FreeBSD vulnerable to the following, and if so is it being addressed? > > http://www.kb.cert.org/vuls/id/412115 Yes, many FreeBSD network drivers display this behavior. If you followed any of the later discussion by the authors on several mailing lists, FreeBSD was one of many OSes on which they duplicated the problem. As for whether the "vulnerability" is being addressed, this issue has been known about for a long, long time, but has never been regarded as a priority. The real security exposure here is quite small. The cost of potentially breaking stuff and hurting performance has never been seen to be worth the effort of a sweep. I personally am not aware of a concerted effort to go through all of the Ethernet drivers to zero out extra memory, but someone may be doing it... It's a bit of a PITA and there is not a whole lot the Project can do about binary-only drivers supplied by some vendors. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030120213930.GA34751>