From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-we0-f171.google.com (mail-we0-f171.google.com [74.125.82.171]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 9C2A820174B for ; Tue, 10 Apr 2012 18:31:11 -0700 (PDT) Received: by werm1 with SMTP id m1so498838wer.16 for ; Tue, 10 Apr 2012 18:31:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=GJD0QoVKIGUHSBa3Perc5OFEOZiZ59M1kSVu5EFE05U=; b=nojejgYgIa37KpTt7F+35Grddok/xMSgEShY69sJ43HasfrVs/ALN06KqH8Ppq3RbT 63srNiZy/YEzQHjm391HZcaNbfAu+v2T2R5OBNXlQbpz4Ui54YBp8T+0b/6QwijGf+Ul LCD0T/d8NNgWXcbBBqr8LldQ+kmG1bkKEVwK2EtJtgXz/cVKijtGEHQBgFLx0bJqKUu6 q+YNMskpg6Ng8NMyCcPoUoyG9qZpHoC+KquqcBj5c5TElTlUiEfs1pzDtg9Q6ffg9F2P H83R4aCJJhzQ0QVTfMAT3ECXooiSwTtk4eLdzTMsAt69Wpr3tbhANTRr2x22ZCXl0Vcr NSjA== MIME-Version: 1.0 Received: by 10.180.95.34 with SMTP id dh2mr11662236wib.15.1334107868094; Tue, 10 Apr 2012 18:31:08 -0700 (PDT) Received: by 10.223.127.194 with HTTP; Tue, 10 Apr 2012 18:31:08 -0700 (PDT) Date: Tue, 10 Apr 2012 18:31:08 -0700 Message-ID: From: Dave Taht To: cerowrt-devel@lists.bufferbloat.net Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: [Cerowrt-devel] Security update: CVE-2012-1182 X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Apr 2012 01:31:12 -0000 Software is imperfect. https://www.samba.org/samba/security/CVE-2012-1182 As I ship samba by default... and the current ipv6 firewall rules are a little weak re: samba... people should be aware of this vulnerability and take appropriate measures. Regrettably I don't have an option for those of you running dev builds going back a ways except to upgrade to current. That is now (and entirely untested) http://huchra.bufferbloat.net/~cero1/3.3/3.3.1-7/ I WAS in the process of finalizing some firewall rules AND there is quite a lot of new stuff in this build that I was also just beginning to test when this CVE came out - and I'm done for the day - so here it is, with the new stuff. Tested a total of 5 minutes. + samba36 CVE fix + Openwrt Toolchain + Openwrt SDK. I personally never use the SDK, but perhaps those of you out there that want to fiddle with building your own code would find this easier than doing it all from scratch. Let me know. Three patches were queued up for linux 3.3.2 that seemed relevant and I felt that some benchmarks were showing the tcp rcv size problem, so they are in there in this 3.3.1 build. For more details see: patchwork.ozlabs.org/user/bundle/2566/ + radvd fix for distributing addresses (thx guys on irc) + wide-dhcp-pd looks like a winner, not configured yet tho + tons of extra packages mentioned earlier today in another email - no firewall/gui fix (bug # - sorry, ENOTIME, end of the week) - missing full entropy fixes - still massive problems with the buildbot machines - no working aqm script - no working dhcpv6-pd - no fixes to dnssec (although I have something that works better) I'm aiming for a release saturday that should be more worthwhile. --=20 Dave T=E4ht SKYPE: davetaht US Tel: 1-239-829-5608 http://www.bufferbloat.net