COMMAND
	    NIS
SYSTEMS AFFECTED
	    - 1.4.x: All versions prior to 1.4.3 (fix will be in 1.4.3)
	    - 1.5_ALPHA: prior to June 30, 2000 (fix will be in 1.5)
	    - current: prior to June 30, 2000
PROBLEM
	    Following is based on a  NetBSD Security Advisory 2000-012.   This
	    vulnerability  applies  only  if  the  node  uses NIS for hostname
	    lookups (the default NetBSD configuration is not vulnerable)
	    NIS client  nodes may  be vulnerable  to a  remote buffer overflow
	    attack.   If  the  node  is  configured  to  use  NIS for hostname
	    lookups, and a rogue NIS server  is in a position to respond  to a
	    hostname lookup request, a malformed response could cause a denial
	    of service  due to  abnormal program  termination.   In the  worst
	    case, an account could be hijacked.
	    The default installation of NetBSD  is not vulnerable, as the  NIS
	    client  daemons  are  not  started  by  default,  and  the default
	    /etc/nsswitch.conf file does not use NIS for hostname lookups.
	    The NIS hostname  lookup code (in  src/lib/libc/net/gethnamaddr.c,
	    in the _yphostent()  function) uses a  statically-allocated buffer
	    to hold  IPv4 addresses  obtained from  the lookup.   The original
	    version failed to bounds check writes into the buffer.
	    If a rogue NIS server injects a lookup result with a large number
	    of matches, the NIS hostname lookup code could overrun the buffer.
	    The attack is not likely to be effective in practice on  otherwise
	    well-configured systems.  However,  NIS does not include  any form
	    of  authentication,  and  NIS  clients  generally trust NIS server
	    data, and  a rogue  server could  introduce bogus  passwd or group
	    entries which may also allow for a remote compromise of a  system;
	    NIS should generally  only be used  when the network  is separated
	    from the greater Internet by some sort of firewall.
SOLUTION
	    The default installation  of NetBSD is  not vulnerable.   To check
	    if  your  node  is  vulnerable  or  not, check the "hosts" line in
	    /etc/nsswitch.conf.  It the line has "nis" on it, your node may be
	    vulnerable.
	    Note that if either of the "passwd" or "group" lines have "nis" in
	    them, or if the passwd or group files have an entry for `+',  your
	    system is using NIS for user and/or group lookup and should not be
	    directly connected to the Internet.
	    To  correct  this  problem,  take  one  or  more  of the following
	    actions:
	
	        1. Turn  NIS  hostname  lookup  off,  if appropriate for  your
	           installation.  (Edit  /etc/nsswitch.conf, and remove  "nis"
	           from the "hosts" line)
	        2. Upgrade to  a more recent  version of NetBSD.   If you  are
	           using NetBSD prior to 1.4.3,  it would be a good  chance to
	           upgrade.
	        3. Apply the following patch to your source tree:
	           ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000808-nis
	           Then rebuild and reinstall libc, and rebuild and  reinstall
	           all statically linked binaries.
	
	    Systems running releases older than NetBSD 1.4 should be  upgraded
	    to NetBSD 1.4.2 before applying the fixes described here.
	    Systems running  NetBSD-current dated  from before  July 30,  2000
	    should be upgraded to NetBSD-current dated July 30, 2000 or later.
	    Systems running  NetBSD-release dated  from before  August 4, 2000
	    should  be  upgraded  to  NetBSD-release  dated  August 4, 2000 or
	    later.