Date: Tue, 21 Jan 2003 07:34:48 -0500 From: David Bell <db@borderware.com> To: "Crist J. Clark" <cjc@freebsd.org> Cc: freebsd-security@freebsd.org Subject: Re: Vulnerability Note VU#412115 Message-ID: <3E2D3E68.3070208@borderware.com> References: <5.2.0.9.2.20030120075839.021bfec8@mail.servplex.com> <3E2C05F2.7080208@borderware.com> <20030120213930.GA34751@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Crist J. Clark wrote: >On Mon, Jan 20, 2003 at 09:21:38AM -0500, David Bell wrote: > >>Is FreeBSD vulnerable to the following, and if so is it being addressed? >> >>http://www.kb.cert.org/vuls/id/412115 >> > >Yes, many FreeBSD network drivers display this behavior. If you >followed any of the later discussion by the authors on several mailing >lists, FreeBSD was one of many OSes on which they duplicated the >problem. > >As for whether the "vulnerability" is being addressed, this issue has >been known about for a long, long time, but has never been regarded as >a priority. The real security exposure here is quite small. The >cost of potentially breaking stuff and hurting performance has never >been seen to be worth the effort of a sweep. I personally am not aware >of a concerted effort to go through all of the Ethernet drivers to >zero out extra memory, but someone may be doing it... It's a bit of a >PITA and there is not a whole lot the Project can do about binary-only >drivers supplied by some vendors. > It may be quite small, however image wise it is not good IMHO that FreeBSD is not doing anything to respond to this, or at least have some sort of official statement. You say many device drivers display this behavior, can you be more specific? Or tell me which ones do not display the behavior? Thanks, ~David Bell To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2D3E68.3070208>