Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Jan 2003 13:39:30 -0800
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        David Bell <db@borderware.com>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Vulnerability Note VU#412115
Message-ID:  <20030120213930.GA34751@blossom.cjclark.org>
In-Reply-To: <3E2C05F2.7080208@borderware.com>
References:  <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> <3E2C05F2.7080208@borderware.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jan 20, 2003 at 09:21:38AM -0500, David Bell wrote:
> 
> Is FreeBSD vulnerable to the following, and if so is it being addressed?
> 
> http://www.kb.cert.org/vuls/id/412115

Yes, many FreeBSD network drivers display this behavior. If you
followed any of the later discussion by the authors on several mailing
lists, FreeBSD was one of many OSes on which they duplicated the
problem.

As for whether the "vulnerability" is being addressed, this issue has
been known about for a long, long time, but has never been regarded as
a priority. The real security exposure here is quite small. The
cost of potentially breaking stuff and hurting performance has never
been seen to be worth the effort of a sweep. I personally am not aware
of a concerted effort to go through all of the Ethernet drivers to
zero out extra memory, but someone may be doing it... It's a bit of a
PITA and there is not a whole lot the Project can do about binary-only
drivers supplied by some vendors.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030120213930.GA34751>