http://www.netbsd.org/Changes/#merge-nathanw_sa
After NetBSD supports symmetric multiprocessing (SMP) on a number of

systems for some time now, support for native threads was added by merging

the nathan_sw branch that contains a Scheduler Activations based threads

implementation by Nathan Williams and Jason Thorpe.
SMP means running processes on more than one CPU in parallel. (With some

care-taking from the kernel that both CPUs don't step on each other with

respect to writing to kernel data structures etc.).
Threading means splitting up a process into several (well :) threads, and

let them run on either one or more than one CPU. This is basically an

application-layer issue, in contrast to SMP which happens inside the

kernel. Having SMP available helps for performance in threads systems as

threads can be ran in parallel on several CPUs, but SMP is not strictly

necessary for a threaded system.
Many applications today use a threaded software architecture (over the

classical Unix "fork"ed processes), and so having some efficient threads

implementation is an important goal of the NetBSD project.
With the Scheduler Activations based work that Jason and Nathan made, this

is a very efficient implementation that can map N userland threads to M

kernel threads, and there is no need to have one kernel thread for each

userland thread, like some other systems (used to?) have, and which kills

performance for many threads.
With native threads now available in NetBSD-current, applications from

pkgsrc will readily pick it up upon rebuild, and things will be fixed over

the coming time.
For instructions on how to port existing applications and to use threads

in your own programs using the new libpthreads that come with NetBSD now,

see http://www.humanfactor.com/pthreads/.
(Thanks to Hubert Feyrer <hubertf@netbsd.org> for the detailed press

release.)
--

http://www.netbsd.org -

         Multiarchitecture OS, no hype required.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2007-007

		 =================================
Topic:		BIND cryptographically weak query IDs
Version:	NetBSD-current:	source prior to July 24, 2007

		NetBSD 4.0_BETA2:	affected

		NetBSD 3.1:		affected

		NetBSD 3.0.*:		affected

		NetBSD 3.0:		affected

		NetBSD 2.1:		affected

		NetBSD 2.0.*:		affected

		NetBSD 2.0:		affected
Severity:	Remote DNS cache poisoning
Fixed:		NetBSD-current:		July 24, 2007

		NetBSD-4 branch:	July 31, 2007

			(4.0 will include the fix)

		NetBSD-3-1 branch:	August 14, 2007

			(3.1.1 will include the fix)

		NetBSD-3-0 branch:	August 14, 2007

			(3.0.3 will include the fix)

		NetBSD-3 branch:	August 14, 2007

		NetBSD-2-1 branch:	September 13, 2007

		NetBSD-2-0 branch:	September 13, 2007

		NetBSD-2 branch:	September 13, 2007

		pkgsrc:			bind-9.4.1pl1 corrects the issue

					bind-8.4.7pl1 corrects the issue
Abstract

========
Due to the use of cryptographically weak query IDs an attacker can predict

query IDs and poison the cache by injecting their own responses.
This vulnerability has been assigned CVE references CVE-2007-2926 for BIND 9.x

and CVE-2007-2930 for BIND 8.x.
Technical Details

=================
- From www.isc.org:
BIND 9.x:

"The DNS query id generation is vulnerable to cryptographic analysis which

provides a 1 in 8 chance of guessing the next query id for 50% of the query

ids. This can be used to perform cache poisoning by an attacker.
This bug only affects outgoing queries, generated by BIND 9 to answer

questions as a resolver, or when it is looking up data for internal uses,

such as when sending NOTIFYs to slave name servers."
BIND 8.x:

"This bug only affects outgoing queries, generated by BIND 8 to answer

questions as a resolver, or when it is looking up data for internal uses,

such as when sending NOTIFYs to slave name servers."
Solutions and Workarounds

=========================
It is recommended that NetBSD users of vulnerabl...
[ message continues ]

The pkgsrc-2008Q2 Release

=========================
The pkgsrc developers are very proud to announce the new pkgsrc-2008Q2

release, which has support for more packages than previous releases.

As well as updated versions of many packages, the infrastructure of

pkgsrc itself has been improved for better platform and compiler

support.
At the same time, the pkgsrc-2008Q1 release has been deprecated, and

continuing engineering starts on the pkgsrc-2008Q2 release.
With more than ten years of pkgsrc development behind us, we would

like to take this opportunity to thank all of the people who have made

pkgsrc the most portable packaging system in the world - to all of the

users, developers and supporters a very large "Thank you" from all of

us.
Some highlights of the new pkgsrc-2008Q2 release are:
+ a new ruby gems framework, from Stoned Elipot and Johnny Lam

+ many more packages have been moved to install into a staging directory -

the DESTDIR work that Joerg Sonnenberger has done almost singlehandedly

+ many, many packages have been updated to newer versions, to take

advantage of fixes and improved functionality.  The following versions

of packages are included in the pkgsrc-2008Q2 release:
	+ apache-2.2.9

	+ firefox-2.0.0.16 and firefox-3.0.1

	+ gnome-2.20.2

	+ kde-3.5.9

	+ mysql-5.0.51

	+ openoffice-2.4.1

	+ opera-9.27

	+ postgresql-8.3.3

	+ python-2.5.2

	+ ruby-1.8.7.22

	+ samba-3.0.30

	+ seamonkey-1.1.11

	+ wireshark-1.0.2

	+ zope-3.3.1
+ other changes include

	+ Jared Mcneill has re-worked the compiz window manager

	  packages

	+ the new ruby gems framework is easy to use, scalable, and

	  very effective

	+ Eric Gillespie has updated the subversion package to 1.5.0,

	  and reworked part of the additional language support

	+ thanks to Jared Mcneill, David Holland and Reinoud Zandijk,

	  wine-1.0 works well on NetBSD

	+ the addition of some interesting, pertinent, and shiny

	  packages such as acroread8, bind95, blame, boxbackup (client

	  and server), co...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
Hello,
Google has extended the student applications period for this year's

Summer of Code until April 7th, 2008.  This means, it's not too late to

submit your proposal.  With the extra days, you still have time to get

in touch with a mentor, to discuss your proposal on one of our mailing

lists and to solicit feedback before refining and submitting it.
Let me also take this as an occasion to remind everybody that we also

welcome students' proposals that are not explicitly listed on our

projects page.  If you have a great idea on how to make NetBSD better,

just flesh out your thoughts and hand in your application.
Due to the strong competition in the Summer of Code program, you may

even wish to submit a second proposal;  often we receive multiple

proposals for the same project and have a hard time choosing one student

over the other -- a second proposal of equal quality might increase your

chances to be accepted.
If you have any questions, please contact the appropriate mailing list

or see if some of your possible mentors are available on #netbsd-code on

IRC (freenode.net).
- -Jan
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (NetBSD)
iD8DBQFH8xrxfFtkr68iakwRAllJAKDclE5uQSjDVjEfonSkUheM3lC59wCdHJZn

wDCNXbPg9lzG+tbWZuEKXBk=

=WD/X

-----END PGP SIGNATURE-----

[For a full list of the changes, please refer to the mail on the

current-users mailing list - agc]
Summary of Changes to the NetBSD Packages Collection in May 2003

================================================================
By my calculations, at the end of May 2003, there were 3762 packages

in the NetBSD Packages Collection, up from 3708 the previous month, a

rise of 54.
Notable additions include:  adobeps-win, apr, BitTorrent,

Canna-server, celestia, celestia-gnome, celestia-kde, cmake,

crimsonfields, diffstat, dovecot, dvd+rw-tools, elf, elfsh, gnus,

gnutls, golem, gtkglarea2, icdprog, ja-dvi2tty, kmymoney2, kochi-otf,

libtasn1, lpe, mbmon, mozilla-bin-nightly, oo2c, opencdk, overnet,

p5-HTTP-DAV, p5-MARC, p5-Net-Z3950, p5-Set-Scalar, p5-Time-Period,

phoenix-bin-acroread3, phoenix-bin-acroread5, ProjectCenter, puf,

py-gtk2, py-ORBit, pyslsk, rtptools, scli, SDLmm, sigrot, sirius,

ssh2-nox11, static-ast-ksh, subversion-base, subversion-python,

swig-build, swig-python, utftools, xmbmon, yabasic, and yaz.
Notable updates include:  acroread5, aewm++, amaya, anjuta, ap-xslt,

ap2-subversion, apache2, apr, arts, ast-ksh, audit-packages, automake,

bbkeys, bbpager, bitchx, blackbox, blender, boehm-gc, boolean,

bsetroot, bug-buddy, cadaver, Canna-dict, Canna-lib, Canna-server-bin,

centericq, cfengine2, cfengine2-doc, cgoban-java, chicken, conserver,

cpuflags, cssc, cue, cups, curl, cvsync, cyrus-imapd, cyrus-sasl,

denemo, dia, dillo, distcc, docbook-xsl, doxygen, driftnet,

dvd+rw-tools, easytag, ee, eggdrop, ekg, elib, enlightenment,

enscript, etach, etcupdate, eterm, ethereal, euler, evolution, exmh,

fam, fbdesk, file-roller, flow-tools, fluxbox, fnlib, gaim, gale,

galeon, gauche, gcc, gcc3, gedit, ghostscript-esp,

ghostscript-esp-nox11, gimp, gimp-base, giram, glade2, gmc, gmplayer,

gnet, gnome-chess, gnome-dirs, gnome-games, gnome-libs, gnome-media,

gnome-mime-data, gnome-pilot, gnome-pim, gnome-utils, gnome1-dirs,

gnome2-dirs, gnome2-games, gnucash, gnumeric, gnumeric0, gn...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2008-003

		 =================================
Topic:		IPsec in IPv6 Denial of Service
Version:	NetBSD-current:		not affected

		NetBSD 4.0:		not affected

		NetBSD 3.1:		affected

		NetBSD 3.0.*:		affected

		NetBSD 3.0:		affected

		NetBSD 2.1:		affected

		NetBSD 2.0.*:		affected

		NetBSD 2.0:		affected
Severity:	Remote denial of service
Fixed:		NetBSD-3-1 branch:	November 22, 2007

			(3.1.2 will include the fix)

		NetBSD-3-0 branch:	November 22, 2007

			(3.0.4 will include the fix)

		NetBSD-3 branch:	November 22, 2007

			(3.2 will include the fix)

		NetBSD-2-1 branch:	December 01, 2007

		NetBSD-2-0 branch:	December 01, 2007

		NetBSD-2 branch:	December 01, 2007
Abstract

========
A remote user can cause the system to panic by sending a crafted IPv6

packet to a system with an IPSEC enabled kernel.
This vulnerability has been assigned VU#110947 by CERT.
Technical Details

=================
When processing an IPComp packet over IPv6 with an IPsec enabled kernel

an uninitialised pointer is referenced which results in a system panic.
Solutions and Workarounds

=========================
Only kernels compiled with the following option are vulnerable to this issue:
	options IPSEC
As a temporary workaround recompile the kernel with the above option

commented out.  The default NetBSD GENERIC kernels do not have this

option enabled.
For all NetBSD versions, you need to obtain fixed kernel sources,

rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.

The following instructions briefly summarise how to upgrade your

kernel.  In these instructions, replace:
   ARCH     with your architecture (from uname -m), and

   KERNCONF with the name of your kernel configuration file.
To update from CVS, re-build, and re-install the kernel:
	# cd src

	# cvs update sys/neti...
[ message continues ]

Summary of Changes to the Packages Collection in November and December 2003

===========================================================================
[For a fuller list of the changes, please refer to the mail in

the current-users mailing list - agc]
By my calculations, at the end of December 2003, there were 4310

packages in the NetBSD Packages Collection, up from 4170 the previous

month, a rise of only 140.  We also tagged a new branch for pkgsrc,

which is being actively maintained - the branch is called

"pkgsrc-2003Q4".  As the name implies, we will be branching pkgsrc on

a regular basis from now on, and maintaining the branch.
This mail covers November and December 2003, since there was little

new activity last November, due to the work being done on preparing

pkgsrc for the branch.
Notable additions include:  abiword2, ap2-auth-mysql, apachetop,

apotheke, at-spi, automake17, awf, blccc, blib, blinkensim,

blinkenthemes, blinkentools, boson, bsdiff, buddy, cdrtools-ossdvd,

chef, compat16, crack-attack, csound-dev, dar, db2latex, devIL,

docbook-simple, dtdparse, emacs20-elib, exim3, fisg, fixesext,

fribidi, gnetcat, gnome-acme, gnome-mag, gnome-speech,

gnome-themes-extra, gnome2-system-monitor, gnopernicus, gok, gpdf,

gpgme03, grdc, gsasl, gss, gtk-send-pr, gtk2-theme-switch, gtkhtml3,

gucharmap, gxmame, jabberd, jpeg_ls, kodos, libcaca, libgpg-error,

libidn, libntlm, libsoup, libstree, libtecla, ljpeg, milter-spamc,

MozillaFirebird-gtk2-bin, MozillaFirebird-gtk2-bin-nightly, mph,

mysql-client, mysql-server, mysqlcc, newsx, nikto, obconf, ode, ogre,

openbox, openmortal, p5-Algorithm-Annotate, p5-Algorithm-Diff,

p5-Algorithm-Merge, p5-CGI-FormBuilder, p5-Crypt-OpenSSL-Bignum,

p5-Crypt-OpenSSL-DSA, p5-Crypt-OpenSSL-Random, p5-Crypt-OpenSSL-RSA,

p5-Devel-Profile, p5-Digest, p5-Digest-BubbleBabble,

p5-Digest-Hashcash, p5-File-DirSync, p5-INET6,

p5-Log-Dispatch-FileRotate, p5-Mail-ClamAV, p5-Memoize-ExpireLRU,

p5-Net-Bind, p5-Net-CIDR, p5-Net-DNS-SEC, p5-subversion, p5-SVN-...
[ message continues ]

On behalf of the NetBSD developers, I am proud to announce that

NetBSD 5.0, the thirteenth release of the NetBSD operating system,

is now available.
NetBSD 5.0 features greatly improved performance and scalability on

modern multiprocessor (SMP) and multi-core systems.  Multi-threaded

applications can now efficiently make use of more than one CPU or core,

and system performance is much better under I/O and network load.
This improved performance is the result of a rewritten threading

subsystem based on a 1:1 threading model, new kernel synchronization

primitives, kernel preemption, a rewritten scheduler implementation,

real-time scheduling extensions, processor sets, and dynamic CPU sets

for thread affinity.  Almost all core kernel subsystems, like virtual

memory, memory allocators, file system frameworks for major file

systems, and others were audited and overhauled to make use of highly

concurrent algorithms.
In addition to scalability and performance improvements, a significant

number of major features have been added. Some highlights are: a preview

of metadata journaling for FFS file systems (known as WAPBL, Write

Ahead Physical Block Logging), the 'jemalloc' memory allocator, the

X.Org X11 distribution instead of XFree86 on a number of ports, the

Power Management Framework, ACPI suspend/resume support on many

laptops, write support for UDF file systems, the Automated Testing

Framework, the Runnable Userspace Meta Program framework, Xen 3.3

support for both i386 and amd64, POSIX message queues and

asynchronous I/O, and many new hardware device drivers.
For full details, please see the release notes at:
    http://www.NetBSD.org/releases/formal-5/NetBSD-5.0.html
ISO images can be downloaded using BitTorrent, and we encourage users

who wish to install via ISO images to take advantage of this, as the

images are very well seeded.
    http://www.NetBSD.org/mirrors/torrents/
Complete source and binaries for NetBSD 5.0 are available for download

at many sites around the...
[ message continues ]

Hello,
Over the past few days our anonymous CVS machine (anoncvs.netbsd.org)

has been experiencing random memory corruption.
The NetBSD Administration Team is in the process of diagnosing and

repairing the problem. The anonymous CVS server will be unavailable

until we can find a replacement machine or repair the current one.

In the meantime, you can download the tar file available from

ftp.netbsd.org. The tar files of -current (the head of the CVS

tree) are updated daily and are located in:
	/pub/NetBSD/NetBSD-current
We will make an announcement when the service is back on line.

We apologize for the inconvenience.
christos
On Behalf of The NetBSD Administration Team

Listed below are the prospective timeframes for upcoming NetBSD releases.
Please keep in mind that none of the branches for these are currently in

a release candidate state so these dates are subject to move.
NetBSD 3.0 - Planned for late July 2005 release
             This was originally branched on March 16, 2005 and is in BETA

             today. It will become the next major release for NetBSD.
NetBSD 2.1 - Planned for late June 2005 release 
             This will be the first minor release of the NetBSD 2 branch and

             will incorporate all changes from the NetBSD 2.0.1 and 2.0.2

             security/critical updates as well as new feature additions/fixes.
NetBSD 1.6.3 - Planned for August/September 2005 release
             This will be the final minor release of the NetBSD 1.6 branch

             and will close out any existing fixes submitted. After this has

             been released the 1.6 branch will be closed.
As release times gets closer on each of these, additional announcements will

go out to let folks know about possible changes in the release dates.
As usual, if there are any questions/concerns about the releases please feel

free to mail us at releng@netbsd.org
Thanks
James

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2005-001

		 =================================
Topic:		Crypto leaks across HyperThreaded CPUs (i386, P4, HTT+SMP only)
Version:	NetBSD-current:	affected, i386 on P4 with HTT and SMP kernels

		NetBSD 2.0:	affected, i386 on P4 with HTT and SMP kernels

		NetBSD 1.6 and earlier: not affected, i386 SMP was not in these releases
Severity:	Possible exposure of cryptographic key information to local users
Fixed:		Best Practices are under discussion. See below.
Abstract

========
The Pentium CPU shares caches between HyperThreads. This permits a local

process to gain a side-channel against cryptographic processes running

on the other HyperThread. Testing for cached data can be accomplished by

timing reads. Under some circumstances, this permits the spying process

to extract bits of the key. This has been demonstrated against OpenSSL.
Technical Details

=================
The full explanation of the issue can be found here:
http://www.daemonology.net/papers/htt.pdf
This issue affects only a subset of i386 systems. 
Your system is not affected if you are running a CPU without HyperThreading.
Your system is not affected if you are running a non-SMP kernel.
Your system is not affected if you have disabled HyperThreading in your

BIOS, and confirmed that the virtual CPUs are not detected by the kernel

during boot.
Your system is affected, but probably not at risk, if you do not permit

shell access by untrusted users.
Additional resources:
http://www.daemonology.net/hyperthreading-considered-harmful/

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc
Solutions and Workarounds

=========================
This issue is fundamental to the design and implementation of

HyperThreading in Intel processors. Avoiding the problem is possible,

and two workarounds are available now. Others which may appear later are

also discussed.
Option 1. Disable HyperThrea...
[ message continues ]

cvsweb.NetBSD.org will be offline on this weekend, because of

a scheduled power cut.
  start time:	Sat, Aug 13, 14:00 GMT

   end  time:	Sun, Aug 14, 22:00 GMT
You are welcome to use one of the following mirrors during the outage:

	http://cvsweb2.jp.netbsd.org/

	http://cvsweb.de.netbsd.org/

	http://cvsweb.lt.netbsd.org/

	http://cvsweb.no.netbsd.org/

	http://cvsweb.se.netbsd.org/
This also affects the Japanese mailing lists (@jp.NetBSD.org) and the

following Japanese mirror services
    * www.jp.NetBSD.org

    * cvsweb.jp.NetBSD.org

    * anoncvs.jp.NetBSD.org

    * cvsup.jp.NetBSD.org

    * rsync.jp.NetBSD.org

    * sup.jp.NetBSD.org

    * iso.jp.NetBSD.org
Sorry for the inconvenience.

--

soda

The NetBSD Project is pleased to announce that update 2.0.3 of the NetBSD

operating system is now available as a source only update.
About NetBSD 2.0.3

------------------
NetBSD 2.0.3 is the third security/critical update of the NetBSD 2.0 release

branch. This represents a selected subset of fixes deemed critical in nature

for stability or security reasons.
All fixes in security/critical updates (ie, NetBSD 2.0.2, 2.0.3, etc)

are cumulative, so this latest update contains all such fixes since the

NetBSD 2.0 release.  These fixes will also appear in future

releases (NetBSD 2.1, 2.2, etc), together with other less-critical fixes

and feature enhancements.
Complete source for NetBSD 2.0.3 is available for download at many sites around

the world. A list of download sites providing FTP, AnonCVS, SUP, and other

services is provided at the end of this announcement; the latest list of

available download sites may also be found at:
http://www.NetBSD.org/mirrors/
About NetBSD

------------
The NetBSD operating system is a full-featured, open source, UNIX-like

operating system descended from the Berkeley Networking Release 2 (Net/2),

4.4BSD-Lite, and 4.4BSD-Lite2. NetBSD runs on 54 different system

architectures featuring 17 machine architectures across 17 distinct CPU

families, and is being ported to more. 
NetBSD is a highly integrated system. In addition to its highly portable,

high performance kernel, NetBSD features a complete set of user utilities,

compilers for several languages, the X Window System, firewall software and

numerous other tools, all accompanied by full source code. The NetBSD

Packages Collection contains over 5000 packages and binary package releases

for a number of platforms are currently in progress.
More information on the goals of the NetBSD Project can be procured from the

NetBSD web site at:
http://www.NetBSD.org/Goals/
NetBSD is free. All of the code is under non-restrictive licenses, and may be

used without paying royal...
[ message continues ]

The NetBSD Project has created a new mailing list "pkgsrc-users@NetBSD.org"

to better serve the pkgsrc user community and to help refocus the

existing "tech-pkg@NetBSD.org" mailing list for technical discussions.

The charters for these two lists are:
    pkgsrc-users@NetBSD.org:

	This is a general purpose list for most issues regarding the

	pkgsrc, regardless of platform, e.g. soliciting user help for

	pkgsrc configuration, unexpected build failures, using particular

	packages, upgrading pkgsrc installations, questions regarding

	the pkgsrc release branches, etc.  General announcements or

	proposals for changes that impact the pkgsrc user community,

	e.g. major infrastructure changes, new features, package

	removals, etc., may also be posted.
    tech-pkg@NetBSD.org:

	This is a list for technical discussions related to pkgsrc

	development, e.g. soliciting feedback for changes to pkgsrc

	infrastructure, proposed new features, questions related

	to porting pkgsrc to a new platform, advice for maintaining

	a package, patches that affect many packages, help requests

	moved from "pkgsrc-users@NetBSD.org" when an infrastructure

	bug is found, etc.
All current subscribers to the "tech-pkg" mailing list are encouraged

to subscribe to the "pkgsrc-users" mailing list.
pkgsrc began in August 1997 as a package system for NetBSD.  Now

entering the project's ninth year, pkgsrc has been ported to multiple

operating systems and has grown to contain well over 5,000 packages.

Due to the overwhelming success of pkgsrc, we are attracting a much

wider audience of users across several different platforms, and we

are discovering that the continuing growth of pkgsrc is straining the

usability of our one mailing list devoted to discussing "all things

pkgsrc".  The creation of a new list devoted to user-related issues

will provide pkgsrc with two forums that have separate focuses and

will help users and developers alike.
	-- Johnny Lam <jlam@NetBSD.org>

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2006-007

		 =================================
Topic:		mail(1) creates record file with insecure umask
Version:	NetBSD-current:	source prior to March 03, 2006

		NetBSD 3.0	affected

		NetBSD 2.1:	affected

		NetBSD 2.0.*:	affected

		NetBSD 2.0:	affected

		NetBSD 1.6.*:	affected

		NetBSD 1.6:	affected
Severity:	Information disclosure
Fixed:		NetBSD-current:		March 03, 2006

		NetBSD-3-0 branch:	March 17, 2006

					   (3.0.1 will include the fix)

		NetBSD-3   branch:	March 17, 2006

		NetBSD-2-1 branch:	March 17, 2006

					   (2.1.1 will include the fix)

		NetBSD-2-0 branch:	March 17, 2006

					   (2.0.4 will include the fix)

		NetBSD-2   branch:	March 17, 2006
Abstract

========
If the "set record" setting is present in a users .mailrc, and they

have the default umask set, the record file will be created with insecure

permissions.
Technical Details

=================
When mail(1) creates the users record file it currently does so using the

default umask of 0644. This may leave the record file of a users email

readable by other users of the system.
Solutions and Workarounds

=========================
The default NetBSD running mail configuration is not vulnerable to this

bug, since the "set record" setting is not present by default in .mailrc.
The following instructions describe how to upgrade your mail

binaries by updating your source tree and rebuilding and

installing a new version of mail.
* NetBSD-current:
	Systems running NetBSD-current dated from before 2006-03-02

	should be upgraded to NetBSD-current dated 2006-03-03 or later.
	The following file needs to be updated from the

	netbsd-current CVS branch (aka HEAD):

		usr.bin/mail/send.c
	To update from CVS, re-build, and re-install mail:

		# cd src

		# cvs update -d -P usr.bin/mail/send.c

		# cd usr.bin/mail

		# make USETOOLS=no cleandir dependall

		# make USETOOLS=no install
* NetBSD 3.*:
	Systems...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2006-011

		 =================================
Topic:		IPSec replay attack
Version:	NetBSD-current:	source prior to March 23, 2006

		NetBSD 3.0:	affected

		NetBSD 2.1:	affected

		NetBSD 2.0.*:	affected

		NetBSD 2.0:	affected
Severity:	Systems could be vulnerable to a replay attack
Fixed:		NetBSD-current:		March 23, 2006

		NetBSD-3-0 branch:	March 28, 2006

						(3.0.1 will include the fix)

		NetBSD-3 branch:	March 28, 2006

		NetBSD-2-1 branch:	March 30, 2006

						(2.1.1 will include the fix)

		NetBSD-2-0 branch:	March 30, 2006

						(2.0.4 will include the fix)

		NetBSD-2 branch:	March 30, 2006
Abstract

========
A vulnerability was found in the fast_ipsec(4) stack that renders the

IPSec anti-replay service ineffective under certain circumstances.
If the upper layer protocol doesn't provide any anti-packet replay

verification (for example, UDP) the system may be vulnerable to a

replay attack.
This vulnerability has been assigned CVE reference CVE-2006-0905.
Technical Details

=================
The anti-replay service specifies an algorithm for preventing

injection of previously received packets from unknown parties

(the replay attack).
Due to a programming error in the fast_ipsec(4) stack, the Sequence

Number associated with a SA was not being updated, thus allowing

packets to bypass any sequence verification check.
Solutions and Workarounds

=========================
The default configuration of NetBSD does not ship with FAST_IPSEC enabled.
For all NetBSD versions, you need to obtain fixed kernel sources,

rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS repository.
The following instructions briefly summarise how to upgrade your

kernel.  In these instructions, replace:
  ARCH     with your architecture (from uname -m), and

  KERNCONF with the name of your kernel configuration file.
To update...
[ message continues ]

Daemon News is offering a new incentive program to help get the

community more involved with the promotion of BSD.
We know that the more BSD "stuff" we get out to people, the more people

will use BSD.  To spread the word and get the products out there, we've

put together two programs that allow the BSD community to get involved.

Sales of these products help promote BSD by supporting Daemon News

programs and services, helping other BSD-related companies like Wasabi

and FreeBSD Systems, and, for OSes, monetary donations to the

projects' foundations.
Here are the two programs, one for everyone and a special offer for web

site authors/owners:
  1) Website owners can place links to bsdmall.com promoting BSD products

     and earn 5% of all sales generated from those links.
     It is extremely easy to get started promoting BSD stuff.  Contact

     us and we will send you a trackable link that you can use on all your

     web sites to promote BSD products.  You will instantly earn credit

     that you can use on bsdmall.com or have an option to cash out.
  2) Community members can request BSD products to be listed at retail

     stores and we will give you a BSD Mall gift certificate for each

     store that places an order.
     Contact your local retail, computer, or campus bookstore and request

     that they stock BSD products.  Then, e-mail us with the list of places

     that you have contacted.  Details on what to tell them can be found

     at http://www.daemonnews.org/promote/
     When they place an order we will send the first person who contacted

     us with their information a gift certificate for bsdmall.com, which

     you can cash in for cool BSD stuff.  
It doesn't take much time to help BSD, Daemon News, and yourself by

linking to and recommending BSD products that we carry.  Get started

today by visiting http://daemonnews.org/promote/.  
Thanks!
Chris Coleman		Editor in Chief

Daemon News E-Zine	http://www.daemonnews.org

Print Ma...
[ message continues ]

The NetBSD Project is pleased to welcome the following new developers,

who have joined the project since May 2002:
        * Hiroyuki Bessho (bsh@netbsd.org), who will be working on the

          arm ports.

        * Tero Kivinen (kivinen@netbsd.org), who will be working on

          laptop hardware support.

        * Mattias Karlsson (keihan@netbsd.org), who will be working

          helping out with the www@netbsd.org mailing list and working

          on the web site

        * Love Hoernquist-Astrand (lha@netbsd.org), who will be working

          on debugging support.
As usual, we welcome these new developers to The NetBSD Project!

Announcing NetBSD 3.0.1
About the NetBSD 3.0.1 Release
   The  NetBSD  Project  is  pleased to announce that update 3.0.1 of the

   NetBSD  operating  system  is now available. NetBSD 3.0.1 is the first

   security/critical  update  of  the  NetBSD  3.0  release  branch. This

   represents  a  selected  subset of fixes deemed critical in nature for

   stability or security reasons, no new features have been added.
   NetBSD  3.0.1  runs  on 57 different system architectures featuring 17

   machine  architectures  across  17 distinct CPU families, and is being

   ported  to  more.  The  NetBSD  3.0.1 release contains complete binary

   releases  for 53 different machine types, with the platforms amigappc,

   bebox,  pc532  and playstation2 released in source form only. Complete

   source  and  binaries  for  NetBSD 3.0.1 are available for download at

   many  sites  around the world. A list of download sites providing FTP,

   AnonCVS,  SUP,  and  other  services  is  provided  at the end of this

   announcement;  the latest list of available download sites may also be

   found  at  http://www.NetBSD.org/mirrors/.  We  encourage users who

   wish  to  install via a CD-ROM ISO image to download via BitTorrent by

   using the torrent files supplied in the ISO image area.
   A  list of checksums for the NetBSD 3.0.1 distribution has been signed

   with  the  well-connected  PGP  key  for  the NetBSD Security Officer:

   ftp://ftp.NetBSD.org/pub/NetBSD/security/hashes/NetBSD-3.0.1_hashes

   .asc
   Please  note  that  all fixes in security/critical updates (ie, NetBSD

   3.0.1,  3.0.2,  etc) are cumulative, so the latest update contains all

   such  fixes  since  the  corresponding minor release. These fixes will

   also  appear  in  future  minor  releases  (ie, NetBSD 3.1, 3.2, etc),

   together with other less-critical fixes and feature enhancements.
Dedication
   The  NetBSD Foundation would like to dedicate the NetBSD 3.0.1 release

   to  the  memory of Richard Rauch, wh...
[ message continues ]

Organizational Changes to the NetBSD Project

============================================  
In 1997 the NetBSD Foundation, the nonprofit corporation which manages

development of the NetBSD operating system, failed to pay its

corporate fees and lapsed as a legal entity.  Shortly thereafter, in

1999, Herb Peyerl resigned from the Foundation's Board of Directors,

causing the Board to fail to meet the requirements of the

corporation's bylaws, which required a minimum of three directors.
In 2002 the developers of NetBSD, who are the members and owners of

the Foundation, voted to reorganize the corporation through an open

process of instituting new Bylaws, electing a new Board, and making

good on all legal obligations, such as back taxes and fees.  In the

past 4 years, NetBSD has grown and flourished under the supervision of

four Boards of directors elected by the membership, adding 83

developers, and releasing 6 new versions of NetBSD and 12 quarterly

branches of pkgsrc, its third-party packaging system, with (currently)

6226 packages.
In the past year, one focus of the Foundation has been on ensuring the

security of our systems, the accountability of our developers, and the

clear legal status of the software we develop and distribute.  Since

before the reorganization of the Foundation in 2000 all developers

have been required to sign an agreement stating the terms under which

they will participate in NetBSD; in return for this they are granted

access to change our source tree and the right to participate in our

internal democratic process.  In the 1990s, the signed agreements for

many developers were lost, and due to administrative oversights some

developers continued for many years without agreements.
Over the past year, as the last step in the process of reorganization

of the Foundation that began in 2002, we have made a concerted effort

to contact those remaining developers without current agreements and

ensure their continued participation in NetBSD.  Despite hundreds of...
[ message continues ]

On behalf of the NetBSD Release Engineering team, I am proud to announce

that the second release candidate of NetBSD 5.0 is now available for

download.
Since RC1, 103 tickets were pulled up.  Interested readers can find the

details of these tickets in src/doc/CHANGES-5.0.  RC2 represents a great

deal of progress over RC1, but with that amount of change, increased

time for testing is required.  To put it bluntly, there will definitely

be a third release candidate.  We are aware of a number of

release-blocking issues, but it is important that we get a jump on

testing the many changes made since RC1.
Binaries of RC2 can be downloaded from
ftp://ftp.NetBSD.org/pub/NetBSD-daily/netbsd-5-0-RC2/
Of course, those already tracking the netbsd-5 branch by source should

continue to to so, and the netbsd-5-0-RC2 tag is available if you prefer

to check out the RC2 sources specifically.
I'd like to thank all those who have helped so far in testing and

providing feedback.  Please keep up the good work, it is very much

appreciated!
Enjoy,

Soren

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
Leading up to this year's NYCBSDCon, a number of NetBSD developers will

be gathering for an informal ``NetBSD developer's summit'' on Friday,

October 10th, 2008.  The event is hosted by Pilosoft and will take place

in their offices at 55 Broad St, 3rd Fl., New York, NY 10004.  While the

developer's summit is open to the public, there is limited space, so we

ask that you contact Jan Schaumann <jschauma@netbsd.org> to get your

name on the list if you plan on attending.
Coinciding with the developer's summit and the conference will be the

12th NetBSD Hackathon, taking place at the summit, at the conference and

of course on IRC as usual.  Please see http://wiki.netbsd.se/Hackathon12

for details.
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.9 (NetBSD)
iD8DBQFI569bfFtkr68iakwRAuHpAJ9GSNhRxv7qVS+UqEIX87qOsQzDRwCeK1XK

pjDOBWiV6SVBww0YTjvTwoo=

=SYWx

-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2009-010

		 =================================
Topic:		ISC dhclient subnet-mask flag stack overflow
Version:	NetBSD-current:		affected before June 24, 2009

		NetBSD 5.0:		affected

		NetBSD 4.0.*:		affected

		NetBSD 4.0:		affected

		pkgsrc:			isc-dhclient package prior to

					4.1.0p1, 4.0.1p1, or 3.1.2p1
Severity:	Arbitrary Code Execution
Fixed:		NetBSD-current:		June 24, 2009

		NetBSD-5-0 branch:	July 14, 2009 20:00 UTC

		NetBSD-5 branch:	July 14, 2009 20:00 UTC

		NetBSD-4-0 branch:	July 14, 2009 20:00 UTC

		NetBSD-4 branch:	July 14, 2009 20:00 UTC

		pkgsrc 2009Q2:		isc-dhclient-4.1.0p1, 4.0.1p1 and

					3.1.2p1 correct the issue
Abstract

========
A stack overflow vulnerability in ISC dhclient allows an attacker

operating a rogue DHCP server to execute arbitrary code with root

privileges on the affected system by supplying a specially crafted

subnet-mask parameter.
This vulnerability has been assigned CVE-2009-0692 and CERT

Vulnerability Note VU#410676.
Technical Details

=================
The script_write_params() function in ISC dhclient version 4.1.0 and

earlier, 4.0.1 and earlier as well as 3.1.2 and earlier fails to

properly verify the subnet-mask parameter while copying it into

the internal state.
This can be exploited to overwrite the stack frame pointer and execute

arbitrary code in the context of the dhclient process. The size of the

injected code is thereby limited to the MTU of the interface dhclient

is listening on.
For more details, please see CVE-2009-0692.
Solutions and Workarounds

=========================
As a temporary workaround, disable dhclient(8) from the base OS and

use either the fixed dhclient packages from pkgsrc, or alternatively

the program dhcpcd(8) from the base system.
The following instructions describe how to upgrade your dhclient

binaries by updating your source tree and rebuilding and

installing a new version of dhclient.
...
[ message continues ]