NetBSD 5.0.1 released

NetBSD 5.0.1 is the first security/critical update of the NetBSD 5.0 release branch.

It represents a selected subset of fixes deemed critical in nature for security or stability reasons.

Security advisory fixes

• NetBSD-SA2009-004, NetBSD OpenPAM passwd(1) changing weakness.
• NetBSD-SA2009-005, Plaintext Recovery Attack Against SSH.
• NetBSD-SA2009-006, Buffer overflows in ntp.
• NetBSD-SA2009-007, Buffer overflows in hack(6).
• NetBSD-SA2009-008, OpenSSL ASN1 parsing denial of service and CMS signature verification weakness.
• NetBSD-SA2009-009, OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities.
• NetBSD-SA2009-010, ISC dhclient subnet-mask flag stack overflow.
• NetBSD-SA2009-011, ISC DHCP server Denial of Service vulnerability.
• NetBSD-SA2009-012, SHA2 implementation potential buffer overflow.
• NetBSD-SA2009-013, BIND named dynamic update Denial of Service vulnerability.

Note: Advisories prior to NetBSD-SA2009-004 do not affect NetBSD 5.0.

Kernel

• Fix random “filesystem full” messages on large FFS file systems.
• Fix a regression in the 4.4BSD scheduler, improving interactive performance under load.
• Remove a race where physio_done() may use memory already freed. Fixes PR kern/39536.
• Fix a crash observed when trying to load a corrupted ELF kernel module.
• Fix PR kern/41566, where writes on the controlling tty were not being awoken from blocks.
• Various fixes for POSIX message queues.
• Fix a possible deadlock in the VFS subsystem.
• Fixes for POSIX advisory locks.
• A number of other stability fixes.

Networking

• Follow exactly the recommendation of draft-ietf-tcpm-tcpsecure-11.txt: Don’t check gainst the last ack received, but the expected sequence number. This makes RST handling independent of delayed ACK.
• Fix a panic when trying to disable IPFilter before enabling it. Fixes PR kern/41364.

NetBSD 5.0.1 is available for download here.