Sign in / up

back to article Staunch your Heartbleed patching: FreeBSD has a nasty credentials leak

Got FreeBSD? Get busy on the patch, because a problem with its TCP ordering has emerged, with both denial-of-service and data leakage as possible effects. The issue exists in how the popular Unix-like operating system handles TCP packets received out-of-order. Packets are held in a reassembly queue until they can be re-ordered …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    So if I get this correctly, the kernel tries to read the memory after returning from the function without allocating/clearing/filling it first?

    0 0
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      From reading the advisory text I would think it was this old C gem...

      void foo (void)

      {

      struct packet hope_this_works = bar ();

      add_to_list (&hope_this_works); /* Uh oh */

      }

      When foo returns, the stack space assigned for hope_this_works is no longer meaningful, and subsequent attempts to dereference the pointer stored by add_to_list will access junk.

      0 0
  2. plrndl
    Alert

    Does Windows still use the BSD implementation of TCP/IP?

    1 0
    1. NogginTheNog
      Reply Icon

      Re: Does Windows still use the BSD implementation of TCP/IP?

      Nope I think it all got re-written circa Server 2008/Vista?

      1 0
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Does Windows still use the BSD implementation of TCP/IP?

        I think they lied to you, otherwise there wouldn't be any 'effects all versions' bugs.

        1 0
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Does Windows still use the BSD implementation of TCP/IP?

        I believe it was removed earlier than that;

        http://docs.freebsd.org/cgi/getmsg.cgi?fetch=8602+0+archive/2003/freebsd-newbies/20030928.freebsd-newbies

        0 0
  3. bigtimehustler

    Still, if they rewrote it around Vista, if it existed for long enough in the code base then Windows XP has this and will never be patched. Maybe the first issue affecting XP that makes people wish they had upgraded sooner.

    0 0
  4. Anonymous Coward
    Anonymous Coward

    Where did the list of Suppliers come from?

    Who came up with McAfee, Checkpoint Bluecoat and IronPort?

    Whilst I don't know all the products from all the manufactures above, I've had hands on experience with a decent selection of there stuff:

    From McAffe's product range, every thing that I have used so far is running a customised RHEL, and most of those are based on RHEL 6.

    Current versions of Checkpoint firewall (R76 - R77) are using a horribly hacked up RHEL5.

    IronPort, last time I used it was running a variant of RHEL4, though this was a fair time ago, so they could have changed.

    Finally I've been told by people at Bluecoat that it is either a completely proprietary OS (marketing people...) or its a customised RHEL OS as well.

    0 0
This topic is closed for new posts.

Other stories you might like