1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.OPENBSD.ANN

  • OpenBSD errata, Mar 9, 2017

    From Sebastian Benoit@21:1/5 to All on Fri Mar 10 01:40:01 2017
    Prevent integer overflow in PF when calculating the adaptive timeout.

    Mainly states of established TCP connections whould be affected
    resulting in immediate state removal once the numer of states is
    bigger than adaptive.start.

    Disabling adative timeouts with
    set timeout { adaptive.start 0, adaptive.end 0 }
    is a workaround to avoid this bug.

    Issue found and initial diff by Mathieu Blanc (mathieu.blanc at cea dot fr)

    The problem has been fixed in -current. For 5.9 and 6.0 the following
    errata patches are available.

    https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/019_pf.patch.sig

    https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/036_pf.patch.sig

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)