--- 1016	Thu Feb 24 17:36:19 2000
+++ 2816	Thu Feb 24 17:36:25 2000
@@ -3,17 +3,21 @@
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 Organisation: The NetBSD Foundation, Inc.
-Message-ID:  <14505.23693.773699.404104@passion.geek.com.au>
-Date:         Wed, 16 Feb 2000 07:59:08 +1100
+Message-ID:  <14510.6825.588170.461046@passion.geek.com.au>
+Date:         Sat, 19 Feb 2000 15:27:24 +1100
 Reply-To: Daniel Carosone <security-officer@NETBSD.ORG>
 Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
 From: Daniel Carosone <security-officer@NETBSD.ORG>
-Subject:      NetBSD Security Advisory 2000-001
+Subject:      UPDATED: NetBSD Security Advisory 2000-001
 X-To:         netbsd-announce@netbsd.org
 X-cc:         tech-security@netbsd.org, current-users@netbsd.org,
               bugtraq@securityfocus.com, cert@cert.org, auscert@auscert.org.au
 To: BUGTRAQ@SECURITYFOCUS.COM
 
+An updated version of this security advisory has been issued; note
+that the advisory is now applicable to a wider range of systems than
+had previously been stated.
+
 -----BEGIN PGP SIGNED MESSAGE-----
 
                  NetBSD Security Advisory 2000-001
@@ -21,7 +25,7 @@
 
 Topic:		procfs security hole
 Version:	NetBSD 1.4.1 and prior; NetBSD-current until 20000126
-Severity:	If the proc filesystem is mounted, any user can become root
+Severity:	If the kernel has procfs configured, any user can become root
 
 
 Abstract
@@ -35,8 +39,9 @@
 memory image of another setuid binary can be manipulated in such a way
 that it will execute a shell.
 
-Note that the procfs filesystem is not used in default NetBSD
-installations.
+Systems which have procfs configured in the kernel, but not mounted
+normally, are still vulnerable because user processes may mount
+procfs. This includes most default NetBSD installations.
 
 Technical Details
 =================
@@ -64,25 +69,44 @@
 
     ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000130-procfs
 
+This patch will be included in the upcoming NetBSD 1.4.2 minor release.
+
 NetBSD-current since 20000126 is not vulnerable.  Users of
-NetBSD-current should upgrade to a source tree later than 20000126
+NetBSD-current should upgrade to a source tree later than 20000126.
 
-If this action cannot be taken, an immediate workaround is to disable
-the use of the proc filesystem. It is not mounted by default in NetBSD,
-and nothing in the NetBSD base tree depends on it. You can disable
-it by removing any procfs lines from /etc/fstab.
+If this action cannot be taken, a workaround is to disable the use of
+the proc filesystem. It is not mounted by default in NetBSD, and
+nothing in the NetBSD base tree depends on it.
+
+The procfs filesystem should be disabled by removing it from the
+kernel config and rebuilding a new kernel. It is recommended that the
+patch above be applied in this case anyway.
+
+An earlier version of this advisory suggested removing any procfs
+lines from /etc/fstab, however this is not sufficient. User processes
+are able to mount filesystems (subject to some conditions) and the
+procfs filesystem is compiled into default NetBSD kernels.  If a user
+mounts the procfs filesystem, the system will be vulnerable as above.
+
+In response to this issue, as of 20000216 NetBSD-current implements a
+sysctl 'vfs.generic.usermount' to allow administrators to select
+whether user mounts should be allowed; by default they are now
+disallowed.
 
 Thanks To
 =========
 
-Jason Thorpe and Charles Hannum for commenting on the fix.
+Jason Thorpe and Charles Hannum for commenting on the fix, Chris Jones
+for observing the user mount problem, and Frank van der Linden for
+implementing both the fix to procfs and the usermount sysctl.
 
 Revision History
 ================
 
-	1999/01/29 - initial version
-	1999/01/31 - corrected spelling of "onto"
-	1999/02/13 - minor editorial changes for release.
+	2000/01/29 - initial version
+	2000/01/31 - corrected spelling of "onto"
+	2000/02/13 - minor editorial changes for release.
+	2000/02/16 - Noted user mount problem, corrected these dates
 
 More Information
 ================
@@ -91,17 +115,17 @@
 http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
 
 
-Copyright 1999, The NetBSD Foundation, Inc.  All Rights Reserved.
+Copyright 2000, The NetBSD Foundation, Inc.  All Rights Reserved.
 
-$NetBSD: NetBSD-SA2000-001.txt,v 1.2 2000/02/13 03:25:24 dan Exp $
+$NetBSD: NetBSD-SA2000-001.txt,v 1.3 2000/02/19 04:02:43 dan Exp $
 
 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.3ia
 Charset: noconv
 
-iQCVAwUBOKlSgj5Ru2/4N2IFAQECjgP/RtIkVx/KPOvt71DVPic0SGmN2o+Pu8cs
-KVKbVs0Dyt1aKJjCqYFsvm1JSD1YYa3LqRPEzA5wIKkqRRdswr1+4+h1ucEkQjyg
-OIVauDaLvgTT2KeR9aNbAmLE6ZMTWwcY6CvuBt6gU1Cqf8ej/5qzSUNmKujEu1cj
-RVxHgh1mtM4=
-=4JqF
+iQCVAwUBOK4Wqz5Ru2/4N2IFAQGPTgP+M9nt09uREXySNWGXqQFek8VRqetkQOqZ
+QPBd1k8GTvWUWZPkp3PtC1EbOzebV3u7gQ6Z+D7LCnxnH3y4EFYrULmIeNVXy55u
+vj5m0FIE2FN285X4jv0ZXwYdyDFqzObzlwhjXthB4+wYUvuS+g7R+7FVyVYX8Mr7
+pmuZ1rSgIRY=
+=lCCD
 -----END PGP SIGNATURE-----