NetBSD Fundraising Campaign 2007
The NetBSD Foundation would like to announce its 2007 fundraising

campaign.  Thanks to donations from earlier this year, we were able to

fund a developer to work on NetBSD and we would like to extend that

opportunity.  We are aiming to raise $50,000 US by the end of the year.

Every donation, both major and minor, is welcome and will be put to good

use!
We will spend the money with a focus on improving NetBSD's SMP, real-time

computing and embedded capabilities.  This task requires a lot of work to

be done by the NetBSD developers, as well as the provision of the most

modern hardware.  Thus the main goals are:
    * provide necessary hardware for developers.

    * continue funding developers to work on improving NetBSD.

    * sponsoring developers to work on BSD-related events.

    * focused development, with specific developers funded

      to work on their areas of expertise.

    * offer bounties for long standing, hard to solve problems.
We are inviting the NetBSD community and organizations using NetBSD to

help us in achieving these goals.  This fundraising campaign is an

excellent opportunity for everyone to contribute to the NetBSD project and

to help us improve NetBSD even more!
Please read our donations page for the status of the fundraising campaign

and for information on how to donate:

http://www.NetBSD.org/donations/
Thanks a lot for your support of the NetBSD project!

Hello everyone,
I'm pleased to announce a new snapshot of NetBSD/amd64, located at

the NetBSD ftp server (and soon its mirrors) at:
	ftp://ftp.netbsd.org/pub/NetBSD/arch/amd64/iso/amd64-2003-05-10.iso
This snapshot contains some important improvements over the previous

one (see the README file in the same directory on the ftp server).

The snapshot comes in the form of a bootable ISO image, and is

a fully-featured NetBSD system. As NetBSD works its way towards its

next release (2.0), I will regularly update the ISO images at the URL

mentioned above. The link 'netbsd-amd64-latest.iso' at that location will

always point to the latest snapshot.
Future updates will be announced on the port-amd64 NetBSD mailinglist,

not on this list anymore, so subscribe to that mailinglist if you're

interested!
Enjoy, please send mail to me, the port-amd64 NetBSD mailing list, or

send a problem report using send-pr should you find any problems.
- Frank
Frank van der Linden                                   fvdl@wasabisystems.com

-----------------------http://www.wasabisystems.com/--------------------------

NetBSD development                                     Embedded, Storage, other

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
NetBSD logo design competition
The NetBSD Project is an international collaborative effort of a

large group of diverse people to produce a freely available, and

redistributable UNIX-like operating system.
NetBSD is a trademark of the NetBSD Foundation, Inc., which is a

non-profit corporation which whose primary goal is to promote

the development of the NetBSD operating system and related software.
The NetBSD Foundation is retiring the existing NetBSD daemon identity

and is adopting a new logo.  To that end we are launching an

international competition for the creation of a new logo.
We extend an invitation to all interested parties to submit design(s)

for consideration.  This is an open competition, to be judged by

the Board of Directors of the NetBSD Foundation and selected other

people.
There is a cash prize of $ 100.00 (one hundred US dollars) for the

winning entry.  The successful logo will also have wide exposure,

featuring in all NetBSD material including, but not limited to;

the NetBSD.org web site, software media, apparel, and business

systems.
The competition will close on February 29, 2003.

The rules of the competition, submission information and the

design brief are included in this document.
Please forward all designs and contact details via email to:

	<communication-exec@NetBSD.org>
We look forward with interest to receiving all proposals.
Thanks and kind regards,

Luke Mewburn <lukem@NetBSD.org>, on behalf of

The Board of Directors of The NetBSD Foundation <board@NetBSD.org>.

http://www.NetBSD.org/
_____________________
Design Brief
NetBSD's current image can be viewed here:

	http://www.NetBSD.org/

	http://www.NetBSD.org/images/NetBSD.jpg
The following problems have been identified with the current identity:

    *	Too complicated.

    *	Hard to reproduce.

    *	Has negative cultural, and religious ramifications.
Some suggested themes for the new identity include:

  ...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----
		 NetBSD Security Advisory 2004-009

		 =================================
Topic:		ftpd root escalation
Version:	NetBSD-current:	source prior to Aug 10, 2004

		NetBSD 2.0 branch: source prior to Aug 15, 2004

		NetBSD 1.6.2:	affected

		NetBSD 1.6.1:	affected

		NetBSD 1.6:	affected

		NetBSD-1.5.3:	affected

		NetBSD-1.5.2:	affected

		NetBSD-1.5.1:	affected

		NetBSD-1.5:	affected

		pkgsrc:		net/lukemftpd all versions

		pkgsrc:		net/tnftpd prior to tnftpd-20040810
Severity:	Remote root for systems providing ftpd service
Fixed:		NetBSD-current:		Aug 10, 2004

		NetBSD-2.0 branch:      Aug 15, 2004 (2.0 will include the fix)

		NetBSD-1.6 branch:	Pullups not yet issued.

					 See Solutions section.

					 (1.6.3 will include the fix)

		NetBSD-1.5 branch:	Pullups not yet issued.

					  See Solutions section.

		pkgsrc  net/lukemftpd:  Update pkgsrc, this package was

					  renamed to tnftpd

			net/tnftpd:	tnftpd-20040810 corrects this issue
Abstract

========
A set of flaws in the ftpd source code can be used together to

achieve root access within an ftp session. With root file manipulation

ability, mechanisms to gain a shell are numerous, so this issue

should be considered a remote root situation.
ftpd is disabled by default in NetBSD since NetBSD-1.5.3, however

many users might have reason to provide this popular service.
Technical Details

=================
Przemyslaw Frasunek is going to release a detailed analysis very

shortly. A URL will be provided here when available.
Since this serious issue affects many users, we won't share information

in this version of the advisory, as it would ease development of

exploits.
Solutions and Workarounds

=========================
Confirm that the host in question is running ftpd, by checking the ftp

entries in /etc/inetd.conf. By default, the entries look like this:
#ftp	stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -ll

#ftp	stream	tcp6	nowait	root	/usr/libexec/ftpd	ftp...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
NetBSD Quarterly Status Report - 2004Q3
July - September 2004:
In the third quarter of 2004, the NetBSD Project has moved closer and closer

to the much anticipated release of NetBSD 2.0.  The equally impatiently

awaited publication of the new NetBSD Logo is also imminent, delayed only be a

few legal processes concerning the transfer of the copyright etc.  Aside from

these two high-profile issues, there were, of course, a lot of other important

and interesting news during the last three months.
The third quarter of 2004 within NetBSD in details:
Administrative:

	- NetBSD Logo Design Contest update [20040930]

	- New Developers [20040901]
Miscellaneous:

	- NetBSD-2.0_RC1 tagged, followed by RC2, RC3 [20040927]

	- NetBSD again sets Internet2 Land Speed World Record [20040930]
pkgsrc:

	- buildlink2 retired [20040706]

	- New stable branch: pkgsrc-2004Q3 [20040920]

	- pkgsrc documentation moved to website [20040928]

	- Non-NetBSD bulk-builds improving [20040930]
Ports:

	- hpcarm: Thumb code working on NetBSD [20040820]

	- macppc: COMPAT_DARWIN update [20040815]

	- sgimips: wscons support for Indigo in-tree [20040708]

	- sgimips: Working driver for on-board MACE MAC-110 Ethernet on O2 [20040711]

	- sgimips: New snapshot [200040805]
Security:

	- Security Advisory [20040817]

	- Support for SHA1 hashed passwords [20040701]
Technical:

	- Miscellaneous updates

	- IPv4 PIM support integrated [20040905]

	- Work-in-progress "wedges" implementation [20040922]

	- NetBSD Version Numbering Scheme Changes [20040930]
Administrative:

===============
NetBSD Logo Design Contest update [20040930]

- --------------------------------------------
As announced in the last quarterly status report, the NetBSD Project has

reviewed all of the entries submitted to the international competition for the

creation of a new logo.  Members of the NetBSD Foundation voted for the new

logo from a short-list of six submitted designs sele...
[ message continues ]

The NetBSD Project is pleased to announce that release 2.0 of the NetBSD

operating system is now available.
About NetBSD 2.0

----------------
NetBSD is widely known as the most portable operating system in the world. It

currently supports fifty four different system architectures, all from a

single source tree, and is always being ported to more.
NetBSD 2.0 continues our long tradition with major improvements in file system

and memory management performance, major security enhancements, and support

for many new platforms and peripherals.
The addition of a native threads implementation for all platforms

and symmetrical multiprocessing (SMP) on i386 and other popular

platforms were long-standing goals for NetBSD 2.0.  Both of these

goals have now been met -- SMP support has been added for i386,

Sparc, and PowerPC, and the SMP support on Alpha and Vax has been

improved.
Please read below for more achievements in NetBSD 2.0!
Complete source and binaries for NetBSD 2.0 are available for download at

many sites around the world. A list of download sites providing FTP, AnonCVS,

SUP, and other services is provided at the end of this announcement; the

latest list of available download sites may also be found at: 
http://www.NetBSD.org/mirrors/
We encourage users who wish to install via a CD-ROM ISO image to

download via BitTorrent by using the torrent files supplied in the ISO image

area. This is the first major release of NetBSD to add BitTorrent to the

distribution mechanisms and its use is strongly encouraged to help keep

bandwidth available.
A list of hashes for the NetBSD 2.0 distribution has been signed with

the well-connected PGP key for the NetBSD Security-Offficer:

ftp://ftp.netbsd.org/pub/NetBSD/security/hashes/NetBSD-2.0_hashes.asc
About NetBSD

------------
The NetBSD operating system is a full-featured, open source, UNIX-like

operating system descended from the Berkeley Networking Release 2 (Net/2),

4.4BSD-Lite, and 4.4BSD-Lite2. NetBSD...
[ message continues ]

Dear all,
mail-index.NetBSD.org has received a software update and has been made

more conformant to the NetBSD websites look&feel.
To have a look, just visit http://mail-index.NetBSD.org/
best regards,

	spz

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
NetBSD Quarterly Status Report - 2005Q1
NetBSD is an actively developed operating system.  With fifty four

different system architectures in total and binary support of over 48

architectures in our last official release (NetBSD 2.0), our widely

portable packages collection ``pkgsrc'' and large userbase there is a

lot going on within the project.  In order to allow our users to

follow the most important changes over the last few months, we provide

a brief summary in these official status reports on a regular basis.

These status reports are suitable for reproduction and publication in

part or in whole as long as the source is clearly indicated.
- -Jan Schaumann <jschauma@NetBSD.org>
January - March 2004:
Administrative:

	- Intel donates hardware to the NetBSD Project [20050111]

	- NetBSD 1.5 EOL'd [20050126]

	- Annual NetBSD Status Report published [20050204]

	- New Developers [20050401]
Miscellaneous:

	- First commits in 2005 [20050101]

	- The NetBSD Foundation opens online store [20050128]

	- NetBSD 2.0 Interviews [20050227]

	- NetBSD turns 12 [20050321]

	- NetBSD on the road
pkgsrc:

	- Changes to the Packages Collection in January [20050209]

	- Alternative framework added [20050125]

	- Changes to the Packages Collection in February [20050307]

	- New pkgsrc-2005Q1 branch [20050324]

	- GNOME 2.10.0 / KDE 3.4.0 available [20050331]

	- pkg_select

	- pkgsrcCon '05
Ports:

	- amd64: running on Intel EM64T [20050220]

	- cobalt: restore-cd mini howto available [20050311]

	- evbarm: ported to TS-7200 [20050104]

	- macppc: Mac mini supported

	- sparc64: Sleep sleeps forever no more [20050217]

	- xen: NetBSD and Xen [20050304]

	- xen: support for Xen 2.0 added [20050310]
Security:

	- ipf 4.1.5 imported [20050208]

	- pkgsrc adds support for multiple digests [20050216]

	- ipsec-tools integrated [20050219]
Technical:

	- XFree86 3.3.6 EOL'd [20050107]

	- JDK 1.5.0 patches available [20050119]

	- PAM enable...
[ message continues ]

There are many upgrades we'd like to make to the NetBSD project

infrastructure, but which we cannot make because, to be blunt, our

project is poor.  Not poor in innovation nor poor in developer

resources nor poor in features -- poor in cold, hard cash, the kind

we need in order to buy hardware that would let us better serve our

users.
While other BSD projects have received tens or even hundreds of

thousands of dollars in donations, either by direct appeal to

their users (e.g. FreeBSD, when they faced tax status problems

because too much of their income had come from a single corporate

donor) or by doing their best to ensure that they received some

revenue from the distribution of their products (e.g. OpenBSD and

CD sales) we have always, I guess, been a little embarassed to

directly and clearly ask our users for money -- whether just as

plain, simple donations or in return for copies of NetBSD, which

we do our best to make available free to all on the Net by FTP,

HTTP, and BitTorrent.
But we do need your money.  We really do.  We need it to do more

things and buy more stuff that will directly help us serve you,

the NetBSD users, our "customers".
Often we're asked if people can donate hardware instead of

money.  The unfortunate fact is that while individual NetBSD

developers may be able to put donated hardware to use, we have

standard hardware packages for the TNF servers and our

administrators' lives become very hard if we just add donated

components to them.  Also, we try to buy all new systems in

complete form from vendors we've successfully done business

with in the past.
However, if you'd like to donate to NetBSD, and see your donation

go towards hardware to do things like speed up automatic builds

of NetBSD (so you can always download the latest binaries from

the branch you want for the hardware you need them for) or ensure

fast and reliable AnonCVS service, what you *can* do is donate

money to us and request that we devote it to that purpose.  We

can't make hard gua...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Note 20050708-1

		 ===============================
Topic:		NetBSD base system not vulnerable to zlib overflow

		pkgsrc did provide vulnerable versions
A zlib buffer overflow has been announced. 
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2096
The NetBSD Security Officer team was aware of this issue, and would

like to reassure users that the NetBSD base system is not vulnerable. 
The bug was introduced in changes to zlib after 1.1.4, the latest

version supplied in the base install of NetBSD.
The vulnerable version, 1.2.2 has been available from pkgsrc. 
Users of the audit-packages tool will already have noticed that version

is marked as vulnerable, and the 1.2.2nb1 update addresses the issue.
Other pkgsrc users are encouraged to update devel/zlib to 1.2.2nb1, as

well as to take advantage of the security/audit-packages infrastructure.
Thanks To

=========
Tavis Ormandy

Colin Percival

Mark Adler

Matthias Drochner

Matthias Scheler
More Information

================
Information about NetBSD and NetBSD security can be found at

http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2005, The NetBSD Foundation, Inc.  All Rights Reserved.

Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SN20050708-1.txt,v 1.1 2005/07/08 15:54:11 david Exp $
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.1 (NetBSD)
iQCVAwUBQs6+TD5Ru2/4N2IFAQI9HAQAvT7R6nDbr+xDroAXYkZrs2zdI9gkIStc

UswbbKNP1G8D90h4nIKrXtvNyG+e4squRtawLB06Fylu+OkielUWeTPIzzwmef0V

qWqWBxg1EWM2WigyDS/SmA6lrQt+dgJ4bfX0IiwakBItdM6v5yScB9svI4qi0aNl

n8+PU7IvbGU=

=PWU8

-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
The NetBSD Project is pleased to announce the results of its participation

in Google's Open Source program, the ``Summer of Code''[0].  After Google

announced this program to introduce students to the world of open source

software development at the beginning of June, the NetBSD Project was

happy to join the approximately 40 other Open Source groups as a mentoring

organization and compiled a list of suggested projects[1].  Over a period

of two weeks, students researched the list of possible projects and

discussed their proposals on the public mailing lists and in private with

developers and other users alike.
After evaluating over 100 distinct applications, the NetBSD Project ranked

the applications based on (among other considerations) the possibility of

completion within the given timeframe, the availability of mentoring

developers who could guide the student and of course general interest of

the result to NetBSD's users and developers. The final ranking of projects

was submitted back to Google, and in the end a total of eight projects

were awarded to the NetBSD Project -- however, unfortunately one student

had had to withdraw early on during the contest, leaving the total of

positions within NetBSD at seven.
This list of accepted contestants was varied and international, reflecting

the general NetBSD developer genepool, ranging from people with detailed

knowledge of the different areas of NetBSD they applied for within their

project to people who at first needed a bit of an introduction into the

internals of NetBSD.
After several weeks of hard work, the due date for the deliverables of

each project came on September 1st, 2005. The code finished at that time

served as the basis of the mentors' evaluation, and the NetBSD Project is

now proud to announce that all seven remaining projects completed in time

and according to the set goals and have subsequently been rated a success

by their respective mentors. The details of each proj...
[ message continues ]

The second and finishing article with interviews about pkgsrc and

alternative packaging systems is available. This issue also provides talks

about MidnightBSD mports, GoboLinux and Zero Install:
  http://www.netbsd.org/gallery/pkgsrc-interviews.html

The NetBSD Foundation Moves to a Two Clause BSD License

=======================================================
Following on from a vote amongst the membership of the NetBSD

Foundation, and in recognition of the changing face of software

licensing, the Foundation has changed its recommended license to be a

2 clause BSD license.  A template version of this new license is

included at the bottom of this email.  This recommended license is the

one that the Foundation strongly encourages its contributors to use

when assigning copyright to the Foundation.
At the same time, all the code which was contributed to the NetBSD

Foundation has been modified to use the new 2-clause NetBSD license.
The change in license has come about because of a number of factors:
+ we have seen organisations and people concerned about the old clause

3 (the advertising clause) in the license, to the extent where NetBSD

code could not be used in commercial products; the new license means

that these concerns are no longer valid
+ UCB moved some time ago to remove clause 3 from the code

contributed to UCB; this change mirrors that one
+ we have seen some instances where clause 3 was ignored by groups

and organisations
+ the members of the NetBSD Foundation (i.e. its developers) no

longer considered clause 4 (the "endorsement" clause) to be useful

in today's software world
Martin Husemann has gone through our trees and modified the licences,

where applicable.  The first pass of this sweep changed over 5900

files in src alone.  The src diffs were more than 5.5 MB.  The final

number of files was 7104.  We believe that all changes are correct

(they were proof-read prior to being applied), but there is always the

chance that some have been missed, particularly some which were

originally contributed to TNF with a 3 clause license, or which may

contain typos meaning that our scripts could not identify them

properly.  If you (the user community) do find any of these, please

could you let us know about the...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2009-008

		 =================================
Topic:		OpenSSL ASN1 parsing denial of service and CMS

		signature verification weakness
Version:	NetBSD-current:		affected prior to 2009-03-27

		NetBSD 5.0:		not affected

		NetBSD 4.0.*:		affected

		NetBSD 4.0:		affected

		pkgsrc:			openssl package prior to 0.9.8k
Severity:	Denial of Service, Forgery of CMS signatures
Fixed:		NetBSD-current:		May 27, 2009

		NetBSD-4 branch:	July 4, 2009 (4.1 will include the fix)

		NetBSD-4-0 branch:	July 4, 2009 (4.0.2 will include the fix)

		pkgsrc 2009Q1:		openssl-0.9.8k corrects this issue
Please note that NetBSD releases prior to 4.0, as well as the pre-release

versions of NetBSD 5.0, are no longer supported. It is recommended that

all users upgrade to a supported release.
Abstract

========
A handling error in the ASN1 parser functions can cause an

application linked against libcrypto to crash. Another

vulnerability in the CMS signature verification algorithm

allows an attacker to modify the CMS attributes of a signed

certificate.
This vulnerability has been assigned CVE-2009-0590,

CVE-2009-0591 and CVE-2009-0789.
Technical Details

=================
The function ASN1_STRING_print_ex() when used to print a BMPString

or UniversalString will crash with an invalid memory access if the

encoded length of the string is illegal.
An error calculating the length of ASN1 structure members can be

exploit to cause a memory access violation in the error path on

architectures where sizeof(long) < sizeof(void *), causing an

application linked against a vulnerable version of libcrypto to

crash.
The function CMS_verify() does not correctly handle an error

condition involving malformed signed attributes. This will cause an

invalid set of signed attributes to appear valid and content

digests will not be checked.
Solutions and Workarounds

=========================
Currently, no workaround to thi...
[ message continues ]

The pkgsrc-2008Q4 Branch

========================
The pkgsrc developers are very proud to announce the new pkgsrc-2008Q4

release, which has support for even more packages than previous releases.

As well as updated versions of many packages, the infrastructure of

pkgsrc itself has been improved for better platform and compiler

support.
At the same time, the pkgsrc-2008Q3 release has been deprecated, and

continuing engineering starts on the pkgsrc-2008Q4 release.
The pkgsrc-2008Q4 release celebrates 5 years of quarterly releases

within pkgsrc, and we would like to thank all of our users and

developers for using the world's most portable packaging system - to

all of the users, developers and supporters a very large "Thank you"

from all of us.
Some highlights of the new pkgsrc-2008Q4 release are:
+ Jared McNeill has introduced pulseaudio to pkgsrc, which is a huge

boost, giving pkgsrc the benefits of one of the best audio systems

+ our GNOME packages have been updated by Thomas Klausner, and much

work has been done on the HAL layer within GNOME by Jared McNeill.  We

also now have improved zeroconf support through the avahi package -

our thanks to Adam Hoka for that.

+ more packages have been moved to install into a staging directory,

thanks to Joerg Sonnenberger

+ improved support for AIX, again, from Joerg Sonnenberger

+ many, many packages have been updated to newer versions, to take

advantage of fixes and improved functionality.  The following versions

of packages are included in the pkgsrc-2008Q4 release:
	+ apache-2.2.11

	+ firefox-2.0.0.19 and firefox-3.0.5nb2

	+ gnome-2.24.2

	+ kde-3.5.10

	+ mysql-5.0.67

	+ openoffice-2.4.2nb3 and openoffice-3.0.0nb7

	+ perl-5.10.0

	+ postgresql-8.2.11 and postgresql-8.3.5

	+ python-2.5.2nb4

	+ ruby-1.8.7.22

	+ samba-3.0.32nb2

	+ seamonkey-1.1.13

	+ wireshark-1.0.4nb1

	+ zope-3.3.1
+ other notable changes include

	+ Kouichirou Hiratsuka has added Openoffice 3 to pkgsrc

	+ Stoned Elipot and Havard Eidnes have made it the...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
NetBSD Quarterly Status Report
NetBSD is an actively developed operating system. With fifty seven

different system architectures in total and binary support of 53

architectures in our last official release (NetBSD 3.0), our widely

portable Packages Collection "pkgsrc" and large userbase there is a lot

going on within the project. In order to allow our users to follow the

most important changes over the last few months, we provide a brief

summary in these official status reports on a regular basis. These

status reports are suitable for reproduction and publication in part or

in whole as long as the source is clearly indicated.
This is the first quarterly status report of 2006.  However, since there

was no status report for the last quarter of 2005, this report

summarizes the changes within NetBSD over the last six months, which

includes the release of both NetBSD 2.1 and NetBSD 3.0, a summary of the

NetBSD Project's participation in Google's Summer of Code and the

release of two stable pkgsrc branches, among many other things.
- -Jan Schaumann <jschauma@NetBSD.org>
July 2005 - December 2005:
Administrative:

	- New NetBSD Core Team [20050803]

	- New Developers [20060101]

	- Donation results [20051108]
Miscellaneous:

	- NetBSD ported to working toaster [20050811]

	- NetBSD and the Google Summer of Code [20051016]

	- NetBSD 2.1 released [20051102]

	- New official Powered by NetBSD logo [20051124]

	- NetBSD 3.0 released [20051223]

	- NetBSD on the road
pkgsrc:

	- pkgsrc now part of DragonFlyBSD [20050831]

	- pkgsrc-2005Q3 branched [20050926]

	- pkgsrc-2005Q4 branched [20051230]
Ports:

	- cobalt: updated Restore CD [20050714]

	- evbarm: support for armadillo-9 boards [20051113]

	- ews4800mips: new port [20051229]

	- ia64: work in progress=20
Security:

	- pf from OpenBSD 3.7 updated [20050701]

	- NetBSD Security Note 20050708-1 released [20050708]

	- Security Advisories 2005-003 through 2005-013 release...
[ message continues ]

* The NetBSD Foundation gets permission from IEEE and The Open Group

    to incorporate material from the POSIX(R) standard
PISCATAWAY, N.J., SAN FRANCISCO, C.A., AND NEW YORK, N.Y. - 15 FEBRUARY,

2006 - The IEEE and The Open Group have granted permission to the NetBSD

Foundation to incorporate documentation for more than 1,400 interfaces

from the joint IEEE 1003.1" POSIX(R) standard and The Open Group Base

Specifications Issue 6 into its NetBSD operating system.
This step benefits developers in the NetBSD Project and software engineers

using NetBSD as their target platform. NetBSD developers can now use

standard documentation to express that a NetBSD operating system conforms

to the POSIX standard. The step also gives engineers who write software to

run on NetBSD a better understanding of how to create portable programs

using IEEE 1003.1, "Standard for Information Technology: Portable

Operating System Interface (POSIX)".
The POSIX standard, which also forms the core volumes of Version 3 of The

Open Group's Single UNIX(R) Specification, defines a set of fundamental

services needed for the construction of portable application programs. The

more than 1,400 interfaces from the standard the NetBSD Foundation can now

use includes header files, interfaces for system and library calls, and

utilities.
"One of the NetBSD Project's goals is to conform to standards when this

makes sense, said Alistair Crooks, president of the NetBSD foundation.

We appreciate the opportunity The Open Group has presented to us to have

our documentation reflect the POSIX standard, which has been widely

adopted in the IT community.
This permission will benefit our users, to whom standards compliance means

a great deal. It is also a huge step forward for some of our developers,

especially those whose native language is not English, in that

documentation can be adopted which accurately, succinctly and clearly

describes all software features and uses."
Andrew Josey, Director of...
[ message continues ]

cvsweb.netbsd.org is temporarily offline for now,

due to some hardware related trouble.
I expect it will be up within 24 hours, but not 100% sure.
Please use one of the following mirrors for now:

	cvsweb.de.netbsd.org

	cvsweb2.jp.netbsd.org

	cvsweb.no.netbsd.org
Sorry for the inconvenience.

--

soda

Dear NetBSD user,
We would like to inform you that the NetBSD project plans to branch for the

NetBSD 4.0 release soon. Before this happens, a few critical bugs have to

be fixed. The exact list has been posted to the current-users mailing list:
   http://mail-index.netbsd.org/current-users/2006/04/11/0012.html
If you are not familiar with the NetBSD release cycle and version numbering

scheme, you can find an explanation here:
   http://www.netbsd.org/Releases/release-map.html
The branch is expected to need about six month after branching before it is

ready for the actual 4.0 release.
Martin Husemann

Summary Changes to the NetBSD Packages Collection in February 2002.

===================================================================
[Apologies for the lateness of this summary. For a full list of

changes, please refer to the tech-pkg mailing list. - agc]
31 packages were added to pkgsrc last month, and 4 were removed,

which, by my calculations, gives a total of 2673 packages at the

beginning of March, up from 2646 at the beginning of February.
Notable additions include:  adjustkernel, ap-python, arch, gimp-print,

icewmconf, ipcheck, libexif, mp3blaster, mserv, openoffice (thanks,

Michael), opera6, various perl utilities, py-gimp, and other python

utilities, ripe-whois, tmda, tnef2txt, and xfrisk.
Notable updates include:  abiword, adzap, analog, ap-php, various

apache modules, balsa, cadaver, chasen, clisp, cups, dillo, dinotrace,

dt, dx, ethereal, fping, gaim, galeon, gauche, gentoo (thanks,

Thomas), ghostscript, gimp, gkrellm, gnumeric, gphoto, gqmpeg, gtkam,

horde, icewm, ipcalc, ipv6calc, irssi, iskmpd, jhead, jikes, jwhois,

libexif, libpcap, libusb, mew, mozilla, mpg123, ntp4, openldap,

openoffice, openssh, opera6, various perl utilities, various php

utilities (thanks, Johnny), pkglint, various python utilities, rsync

(after some exceptional debugging by mycroft), samba, screen, SDL,

sh-utils, silc client and server, squid, ssh, some of the suse

packages, tcpdump, tightvnc, ucd-snmp, unzip, uvscan-dat, verilog,

vim, webalizer, xmame, xpaint, xpdf, xscreensaver and xwrits.
The Package of the Month award is split, and goes to (a)

misc/bidwatcher, nominated by Martin Husemann:
"If you ever buy something from eBay, this is the tool to use.  It has

a nice GUI, all the functionality I need and it just works.  Using

snipes to get important geek goods for cheap money in the last few

seconds before the auction closes saves you money - unless this turns

out to be an obsession and you buy more goods than you need :-/"
and to (b) devel/ddd, nominated by Sean Davis:
"I'v...
[ message continues ]

Soft dependencies, also known as soft updates or softdep, is a method of

maintaining file system integrity across an unscheduled system shutdown.  It

improves file system performance by allowing metadata writes to the file

system to take place asynchronously.  Soft dependencies was introduced with

NetBSD 1.5.
The upcoming 5.0 release of NetBSD will include an alternative technology

contributed by Wasabi Systems Inc.: Write Ahead Physical Block Logging, or

logging.  Logging will provide a feature set and performance profile

superior to soft dependencies.  One compelling advantage is that file

systems using it need not be checked with the fsck utility after an

unscheduled system shutdown.
In NetBSD 5.0 both soft dependencies and an experimental, preview

implementation of logging will be available.  From NetBSD 6.0 onwards, soft

dependencies will no longer be shipped as part of the system and logging

will be the preferred method of maintaining file system integrity with FFS

file systems.
Thanks,

Andrew

There was recently an annoucement of an openssh security problem.
A full fix will be available next week, and until then, it is

advised that you run the openssh daemon (sshd) with privilege

separation enabled.
Here is some advice for users of various versions of NetBSD:
	1.4/1.5 users - use pkgsrc. ie: pkgsrc/security/openssh/Makefile

					revision 1.73 (openssh-3.3.0.1).

	1.6_BETAx users - openssh shipped with 1.6_BETAx 3.2.1, with

		privilege separation enabled.

	current users - openssh shipped with current is 3.3, with

		privilege separation enabled.
itojun

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2006-016

		 =================================
Topic:		IPv6 socket options can crash the system
Version:	NetBSD-current:	source prior to May 23, 2006

		NetBSD 3.0:	affected

		NetBSD 2.1:     affected

		NetBSD 2.0.*:   affected

		NetBSD 2.0:     affected
Severity:	Any local user can crash the system
Fixed:		NetBSD-current:		May 23, 2006

		NetBSD-3-0 branch:	May 24, 2006

						(3.0.1 will include the fix)

		NetBSD-3   branch:	May 24, 2006

		NetBSD-2-1 branch:      May 24, 2006

						(2.1.1 will include the fix)

		NetBSD-2-0 branch:      May 24, 2006

						(2.0.4 will include the fix)

		NetBSD-2 branch:        May 24, 2006
Abstract

========
Insufficient validation when parsing IPv6 socket options can lead to a

system crash.  This can be triggered by a local non-privileged user.
Technical Details

=================
IPv6 sockets can be used with IPv4-mapped addresses, and thus IPv4

packets may be sent and delivered through an IPv6 socket.
When sending an IPv6 packet, the NetBSD kernel needs to call the

ip6_savecontrol() function in order to process the SO_TIMESTAMP socket

option.  This function should process options for IPv6 packets only,

but wasn't checking for IPv4-mapped sockets. If such a socket had this

option set, it would traverse the mbuf chain by later calling

ip6_pullexthdr(), causing a panic.
Either net.inet6.ip6.v6only sysctl MIB (global) or IPV6_V6ONLY socket

option (per-socket) need to be 0 (zero) for this code path to occur.
Solutions and Workarounds

=========================
By default on NetBSD net.inet6.ip6.v6only is set to 1 (disabled).

However, any user can set IPV6_V6ONLY on their own sockets.
The only workaround available is to rebuild a kernel with

"options BIND_V6ONLY".
For all NetBSD versions, you need to obtain fixed kernel sources,

rebuild and install the new kernel, and reboot the system.
The fixed source may be obtained from the NetBSD CVS r...
[ message continues ]

In the immortal words of Dr. Zoidberg, "Hooray!"
Today, we have two things to be happy about.  First, the fourth release

candidate of NetBSD 5.0 is available for download.  Second, this

announcement, like RC3's, coincides with an important birthday: that of

Billy West.
Below are some highlighted changes since RC3:

- Added the RLIMIT_AS resource, which limits the total address space

  available to processes.

- Improved NFS server stability

- FFS improvements

- A fix for a pf(4) DoS

- re(4) now works with the RealTek 8111C, which is found on many current

  motherboards with Intel chipsets
As usual, src/doc/CHANGES-5.0 has the full details.
Binaries of 5.0_RC4 are available for download at
ftp://ftp.NetBSD.org/pub/NetBSD-daily/netbsd-5-0-RC4/
Those of you tracking by source can either continue following the netbsd-5

branch or use the netbsd-5-0-RC4 tag.
As always, we want your feedback.  This time, we are especially

interested in hearing from people who are using NFS.
Soren

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2006-018

		 =================================
Topic:		sail(6), dm(8) and tetris(6) buffer overflows
Version:	NetBSD-current:	source prior to June 01, 2006

		NetBSD 3.0:	affected

		NetBSD 2.1:	affected

		NetBSD 2.0.*:	affected

		NetBSD 2.0:	affected
Severity:	Local privilege escalation
Fixed:		NetBSD-current:		June 01, 2006

		NetBSD-3-0 branch:	June 08, 2006

					   (3.0.1 includes the fix)

		NetBSD-3   branch:	June 08, 2006

		NetBSD-2-1 branch:	June 08, 2006

					   (2.1.1 will include the fix)

		NetBSD-2-0 branch:	June 08, 2006

					   (2.0.4 will include the fix)

		NetBSD-2   branch:	June 08, 2006
Abstract

========
The sail, dungeon master arbiter and tetris games all contain buffer

overflows.  These programs are installed sgid games, and when

successfully exploited the vulnerabilities may allow an attacker to

elevate their privileges to the games group.
The sail vulnerability has been assigned CVE reference CVE-2006-1744.

The tetris vulnerability has been assigned CVE reference CVE-2006-1539.
Technical Details

=================
* When processing user supplied input, sail and dm do not check the

  length of the string supplied by the user before storing it.

* When storing user supplied input, tetris does not check the length

  of the string before storing it.

* When reading in the tetris scores file the data is not vaildated

  before it is stored.
Solutions and Workarounds

=========================
The following instructions describe how to upgrade your games binaries

by updating your source tree and rebuilding and installing a new

version of dm, sail and tetris.
* NetBSD-current:
	Systems running NetBSD-current dated from before 2006-06-01

	should be upgraded to NetBSD-current dated 2006-06-02 or later.
	The following files need to be updated from the

	netbsd-current CVS branch (aka HEAD):

		games/dm/dm.c

		games/sail/pl_main.c

		games/tetris/scores.c

...
[ message continues ]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1
		 NetBSD Security Advisory 2008-010

		 =================================
Topic:		Malicious PPPoE discovery packet can overrun a kernel buffer
Version:	NetBSD-current:		affected

		NetBSD 4.0:		affected

		NetBSD 3.1.*:		affected

		NetBSD 3.1		affected

		NetBSD 3.0.*:		affected

		NetBSD 3.0:		affected
Severity:	Remote denial-of-service
Fixed:		NetBSD-current:		August 08, 2008

		NetBSD-4-0 branch:	August 08, 2008

			(4.0.1 will include the fix)

		NetBSD-4 branch:	August 08, 2008

			(4.1 will include the fix)

		NetBSD-3-1 branch:	August 08, 2008

			(3.1.2 will include the fix)

                NetBSD-3-0 branch:      August 08, 2008

                        (3.0.4 will include the fix)

		NetBSD-3 branch:	August 08, 2008

			(3.2 will include the fix)
Abstract

========
A problem has been identified in the pppoe(4) code.  A bug in range checking

allows a malicious packet to make the kernel access memory outside of the

allocated buffer and cause a kernel crash.  It is currently unclear if this

issue could be exploited any further than denial of service.
Technical Details

=================
The critical code deals with early states of a PPPoE connection, before

a session between client and access concentrator has been established.

Packets in this "discovery" phase may consist of multiple variable length

"tags" packed together in a pppoe packet. Each tag is checked and the length

validated against to total packet size. A bug in this length check allowed

packets to advance the next tag pointer to up to 4 bytes beyond the end

of the packet. This can cause a kernel crash.
The problematic code path is executed even without active pppoe(4) interfaces,

as long as at least one has been created with "ifconfig pppoe0 create". No

further configuration of the pppoe(4) interface is needed.
The attack is not routable, so attackers would have to have access to the

LAN of an affected machine - or the DSL side would need to b...
[ message continues ]

Today, on the 16th birthday of NetBSD, I have the pleasure of announcing

the availability of NetBSD 5.0_RC3.
Below are some highlighted changes since RC2:

- Considerable improvements to WAPBL.

- Further X.Org refinements, including switching sgimips to X.Org.

- Scheduler Activations support is now disabled by default in sysctl.conf.

- ddb.onpanic is now set to 1 in the kernel by default, but 0 in

  sysctl.conf.  This avoids trying to dump if a crash occurs during the

  install phase.

- puffs is now enabled by default on amd64, i386, macppc, and sparc64.

- SSP kernels should work again.

- A handful of assorted stability improvements.
As always, see src/doc/CHANGES-5.0 for full details.
Binaries of 5.0_RC3 are available for download at
ftp://ftp.NetBSD.org/pub/NetBSD-daily/netbsd-5-0-RC3/
Those of you tracking by source can either continue following the netbsd-5

branch or use the netbsd-5-0-RC3 tag.
Thanks for all the help and feedback so far.  Please keep it up!
Soren

This announcement is of interest primarily to those that use

Anonymous CVS to access the NetBSD sources or maintain mirrors of

those sources.
The NetBSD source tree was split into several CVS modules some years

ago. This split is now being undone, and should be completed on

anoncvs.netbsd.org and ftp.netbsd.org within the next few hours.
Unfortunately, because there are many mirrors in our system and delays

in updating them, it may take some time before this split propagates

across all mirrors.
Once the split is complete, if you maintain a checked out copy of the

NetBSD sources, you will need to run the following script on them in

order to fix up the CVS/Repository files before doing a cvs update.
----------------------------------------------------------------------

#!/bin/sh
if [ -z "$1" -o ! -d "$1" ]; then

	echo "$0: directory not specified or not a directory"

	echo "Synopsis: $0 DIRECTORY"

	exit 1

fi
find "$1" -path '*/CVS/Repository' | \

while read fname; do

	sed -e 's@^.*base\(src\)@\1@'     \

		-e 's@^.*gnu\(src\)@\1@' \

		-e 's@^.*share\(src\)@\1@' \

		-e 's@^.*sys\(src\)@\1@' \

	 "$fname" > "$fname.out"

	mv "$fname.out" "$fname"

done

----------------------------------------------------------------------
If you maintain an anoncvs mirror, use CVSup, or otherwise have a copy

of the actual CVS repository, you will need to run a script similar to

this one in order to avoid having to re-fetch the entire repository.
----------------------------------------------------------------------

#!/bin/sh
# script to undo the split of the CVS repository

# only handles the dirs, not editing the CVSROOT/modules file
if [ -z "$1" -o ! -d "$1" ]; then

	echo "$0: directory not specified or not a directory"

	echo "Synopsis: $0 DIRECTORY"

	exit 1

fi
cd $1

mv basesrc src

mv gnusrc/gnu src/

rmdir gnusrc

mv sharesrc/share src/

rmdir sharesrc

mv syssrc/sys src/

mv syssrc/usr.sbin/config src/usr.sbin/

mv syssrc/usr.sbin/dbsym src/usr.sbin/

rmdir syssrc/us...
[ message continues ]

Subject: netbsd-4 hackathon
     A bunch of NetBSD developers are getting together next week

for an in-person hackathon.  We're going to have an on-line hackathon

to co-incide with it.  The theme of the on-line hackathon will be

getting ready for the upcoming netbsd-4 release.  We will be working

on making sure that installation goes smoothly, the relevant

documentation is up to date, and various PRs.  The hackathon will

take place from Monday May 21st to Wednesday May 23rd.  Please join

us on #NetBSD-code on irc.freenode.net and help out.

The pkgsrc-2007Q2 Release

=========================
The pkgsrc developers are very proud to announce the new pkgsrc-2007Q2

release, which has support for more packages than previous releases.

As well as updated versions of many packages, the infrastructure of

pkgsrc itself has been improved for better platform and compiler

support.
At the same time, the pkgsrc-2007Q1 release has been deprecated, and

continuing engineering starts on the pkgsrc-2007Q2 release.
Some highlights of the new pkgsrc-2007Q2 release are:
+ many, many packages have been updated to newer versions, to take

advantage of fixes and improved functionality.  The following versions

of packages are included in the pkgsrc-2007Q2 release:
	+ apache-2.2.4

	+ firefox-2.0.0.4

	+ gnome-2.18.1

	+ kde-3.5.7

	+ mysql-5.0.41

	+ openoffice-2.2.1

	+ opera-9.21

	+ postgresql-8.2.4

	+ ruby-1.8.6

	+ samba-3.0.24

	+ seamonkey-1.1.2

	+ thunderbird-2.0.0.4

	+ wireshark-0.99.5

	+ zope-3.3.1
In addition, the default versions of firefox and thunderbird have been

set to the 2.0.0.x versions, replacing the previous 1.5.0.x versions

(which have been kept in www/firefox15, mail/thunderbird15, but are no

longer the default).
+ other changes include

	+ more modular X11 packages have been added, including the modular

	  X server modules, and many X clients. With the pkgsrc-2007Q2

	  release, the "xorg" X11_TYPE will become obsolete.

	+ we have continued to develop our "filesystems" category

	+ the adoption of a new bulk building system, pbulk, by Joerg

	  Sonnenberger

	+ the addition of some pertinent bright, shiny packages such

	  as opengrok, roundcube, more modular x11 clients, coda, tea,

	  t-prot, u9fs, teamspeak-server, fuse-gphotofs, alpine, goffice,

	  mecab, qtplay, fuse-obexfs, fuse-wdfs, tesseract, sparse, htop,

	  ragel, xhtmldiff, mimetex, antiright, psvn, planner, ipbt,

	  dvdisaster, deskmenu and freepops
To the list of platforms supported by pkgsrc - AIX, BSD/OS, Darwin

(Mac OS X), DragonFly BSD, Fre...
[ message continues ]

It's online now.

Thanks for your patience.

--

soda