![[NetBSD Logo]](/images/NetBSD-headerlogo.png)
Security and NetBSD
The NetBSD Project adopts the same approach to security as it does to the rest of the system: Solutions and not hacks. Security issues in NetBSD are handled by the NetBSD security officer and the NetBSD security alert team. As well as investigating, documenting and updating code in response to newly reported security issues, the team also performs periodic code audits to search for and remove potential security problems.
NetBSD has integrated Kerberos 5 (Heimdal), SSH (OpenSSH) and full support for IPsec for both IPv4 and IPv6. In addition, all services default to their most secure settings, and no services are enabled by default for new installations.
When serious security problems in NetBSD are discovered and corrected, we issue a security advisory, describing the problem and containing a pointer to the fix. These are announced to our netbsd-announce mailing list as well as to various other mailing lists and websites. In addition, they are archived on this site as well as provided as an RSS feed.
All Advisories by NetBSD releases:
- NetBSD-SA2007-004 Insufficient length checking in iso(4)
- NetBSD-SA2007-003 BIND multiple denial of service vulnerabilities
- NetBSD-SA2007-002 Integer overflows in Render and DBE extensions
- NetBSD-SA2007-001 Integer overflow in ktruser()
- NetBSD-SA2006-027 libc glob(3) buffer overflow
- NetBSD-SA2006-026 Multiple denial of service issues
- NetBSD-SA2006-025 Multiple information/memory leakage issues
- NetBSD-SA2006-024 systrace(4) integer overflow
- NetBSD-SA2006-023 OpenSSL RSA Signature Forgery
- NetBSD-SA2006-022 BIND recursive query and SIG query processing
- NetBSD-SA2006-021 Integer overflows in CID-keyed font parser
- NetBSD-SA2006-020 Integer overflows in PCF font parsers
- NetBSD-SA2006-019 Malicious PPP options can overrun a kernel buffer
- NetBSD-SA2006-018 sail(6), dm(8) and tetris(6) buffer overflows
- NetBSD-SA2006-017 Sendmail malformed multipart MIME messages
- NetBSD-SA2006-016 IPv6 socket options can crash the system
- NetBSD-SA2006-015 FPU Information leak on i386/amd64/Xen platforms with AMD CPUs
- NetBSD-SA2006-014 An audio subsystem race condition may crash the system
- NetBSD-SA2006-013 sysctl(3) local denial of service
- NetBSD-SA2006-012 SIOCGIFALIAS ioctl may cause system crash
- NetBSD-SA2006-011 IPSec replay attack
- NetBSD-SA2006-010 Sendmail race condition
- NetBSD-SA2006-009 False detection of Intel hardware RNG
- NetBSD-SA2006-008 Malformed ELF interpreter causes system crash
- NetBSD-SA2006-007 mail(1) creates record file with insecure umask
- NetBSD-SA2006-005 bridge memory disclosure
- NetBSD-SA2006-004 Denial of services issues with pf
- NetBSD-SA2006-003 Multiple denial of services issues with racoon
- NetBSD-SA2006-002 settimeofday() time wrap
- NetBSD-SA2006-001 Kernfs kernel memory disclosure
See the advisory archive for a complete list.
In some cases a security issue will be discovered in NetBSD-current and then be resolved soon after. These issues are often short lived any do not impact any NetBSD releases. In these cases we don't release patches or advisories specifically for NetBSD-current, but instead recommend that you update to a version containing the fixes. See the advisories above for the fix dates. If a security issue is identified that just impacts NetBSD-current the NetBSD security officer team will send an email to the current-users mailing list detailing the issue and what updates are necessary. We recommend that all users running NetBSD-current subscribe to the current-users mailing list so that they are aware of these issues. Users tracking NetBSD-current should be upgrading their systems often to gain new features as well as resolving known issues.
The NetBSD Project has two security related contact points:
- The tech-security mailing list is an open forum for discussing issues related to NetBSD security.
- You can directly contact the NetBSD Project about security
issues by sending email to
<security-alert@NetBSD.org>.
To report a security problem in NetBSD, either contact the NetBSD
<security-alert@NetBSD.org> team or send a standard
NetBSD problem report, using the send-pr form or the
send-pr(1) program on your NetBSD system.
Sensitive information should be encrypted using PGP, using the NetBSD security-officers' PGP key.
All published NetBSD security patches are available on the NetBSD Project's FTP server in the security/patches/ directory.
The NetBSD Packages Collection provides easy source or binary installation of a large number of third-party applications. Users should remember that there can often be bugs in third-party software, and some of these bugs can leave a machine vulnerable to exploitation. To cope with this, NetBSD provides an easy way to audit your installed packages for known vulnerabilities.
The NetBSD pkgsrc Security Team and package maintainers keep a list of known security vulnerabilities in packages which are (or have been) included in pkgsrc. The list is available from the NetBSD FTP site at:
Through audit-packages, this list can be downloaded automatically, and a security audit of all packages installed on a system can take place.
There are two components to audit-packages. The first component, download-vulnerability-list, is for downloading the list of vulnerabilities from the NetBSD FTP site. The second component, audit-packages, checks to see if any of your installed packages are vulnerable. If a package is vulnerable, you will see output similar to the following:
Package samba-2.0.9 has a local-root-shell vulnerability, see http://www.samba.org/samba/whatsnew/macroexploit.html
Users can set up audit-packages to download the pkg-vulnerabilities file daily, and include a package audit in the daily security script. Details on this are located in the MESSAGE file for audit-packages.
If you believe you have found a security issue for a software package in pkgsrc that is not detected by audit-packages then contact the pkgsrc Security Team.
A number of security advisories and other security resources are available on-line at these sites: