Security and NetBSD
The NetBSD Project adopts the same approach to security as it does to the the rest of the system: Solutions and not hacks. Security issues in NetBSD are handled by the NetBSD security officer and the NetBSD security alert team. As well as investigating, documenting and updating code in response to newly reported security issues, the team also performs periodic code audits to search for and remove potential security problems.
NetBSD has integrated Kerberos IV (KTH-KRB), Kerberos 5 (Heimdal), SSH (OpenSSH) and full support for IPsec for both IPv4 and IPv6. In addition, all services default to their most secure settings, and no services are enabled by default for new installations.
When serious security problems in NetBSD are discovered and corrected, we issue a security advisory, describing the problem and containing a pointer to the fix. These are announced to our netbsd-announce mailing list as well as to various other mailing lists and websites. In addition, they are archived on this site as well as provided as an RSS feed.
Note that we no longer issue advisories for thirdparty software
packages (pkgsrc). Instead, an automated mechanism to audit
installed binary package is provided in
security/audit-packages. We supply a machine-parsable database of vulnerable packages.
- NetBSD-SA2006-002 settimeofday() time wrap
- NetBSD-SA2006-001 Kernfs kernel memory disclosure
- NetBSD-SA2005-013 ptrace() permissions after S[UG]ID and exec()
- NetBSD-SA2005-012 SO_LINGER argument checking DIAGNOSTIC panic
- NetBSD-SA2005-011 ntpd may start with different group id than desired
- NetBSD-SA2005-010 OpenSSL "man in the middle" can force weak protocol
- NetBSD-SA2005-009 Insecure /tmp file usage when building using imake
- NetBSD-SA2005-008 Heap memory corruption in FreeBSD compat code
- NetBSD-SA2005-007 AES-XCBC-MAC (IPsec AH) calculated using fixed key
- NetBSD-SA2005-006 Multiple vulnerabilities in CVS
- NetBSD-SA2005-005 cgd(4) key destruction on unconfigure
- NetBSD-SA2005-004 Buffer overflows in MIT Kerberos 5 telnet client
- NetBSD-SA2005-003 F_CLOSEM local denial of service
- NetBSD-SA2005-002 Local DoS via audio device with specific drivers
- NetBSD-SA2005-001 Crypto leaks across HyperThreaded CPUs (i386, P4, HTT+SMP only)
See the advisory archive for a complete list.
The NetBSD Project has two security related contact points:
- The tech-security mailing list is an open forum for discussing issues related to NetBSD security.
- You can directly contact the NetBSD Project about security
issues by sending email to
<security-alert@NetBSD.org>.
To report a security problem in NetBSD, either contact the NetBSD
<security-alert@NetBSD.org> team or send a standard
NetBSD problem report, using the send-pr form or the
send-pr(1) program on your NetBSD system.
Sensitive information should be encrypted using PGP, using the NetBSD security-officers' PGP key. Information about PGP can be obtained from Network Associates' PGP site.
All published NetBSD security patches are available on the NetBSD Project's FTP server in the security/patches/ directory.
Updates specific to NetBSD releases are available here:
We don't release patches or advisories specifically for NetBSD-current, but instead recommend that you update to a version containing the fixes. See the advisories above for the fix dates.
The NetBSD Packages Collection provides easy source or binary installation of a large number of third-party applications. One should remember that there can often be bugs in third-party software, and some of these bugs can leave a machine vulnerable to exploitation. To cope with this, NetBSD provides an easy way to audit your installed packages for known vulnerabilities.
The NetBSD Security-Officer and Packages Groups maintain a list of known security vulnerabilities to packages which are (or have been) included in pkgsrc. The list is available from the NetBSD FTP site at:
Through audit-packages, this list can be downloaded automatically, and a security audit of all packages installed on a system can take place.
There are two components to audit-packages. The first component, download-vulnerability-list, is for downloading the list of vulnerabilities from the NetBSD FTP site. The second component, audit-packages, checks to see if any of your installed packages are vulnerable. If a package is vulnerable, you will see output similar to the following:
Package samba-2.0.9 has a local-root-shell vulnerability, see http://www.samba.org/samba/whatsnew/macroexploit.html
One can set up audit-packages to download the vulnerabilities file daily, and include a package audit in the daily security script. Details on this are located in the MESSAGE file for audit-packages.
A number of security advisories and other security resources are available on-line at these sites:
For those interested in using NetBSD in a firewalling capacity, Darren Reed's IPFilter page has a full description of IPFilter and links to further documentation.
![[NetBSD flag]](/images/NetBSD-flag.png)
Copyright © 1994-2006 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
NetBSD® is a registered trademark of The NetBSD Foundation, Inc.