Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate Security Advisory: CVE-2024-6387

    Scheduled Pinned Locked Moved Netgate Announcements
    22 Posts 9 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • planedropP
      planedrop @SteveITS
      last edited by

      @SteveITS

      It was only proven on 32 bit, but I think the theory is it could still happen on 64 bit, just no one has managed to do it yet lol.

      But yeah, regardless, SSH needs to not be exposed where possible.

      JonathanLeeJ 1 Reply Last reply Reply Quote 1
      • M
        mer @SteveITS
        last edited by

        @SteveITS said in Netgate Security Advisory: CVE-2024-6387:

        Oh my, you know this is the Internet right?

        Well, it's my fantasy world, so... 👽

        1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @planedrop
          last edited by

          @planedrop A lot of users access this remotely over a VPN after just SSH in to the command line for the firewall for remote administration at times.

          Make sure to upvote

          planedropP 1 Reply Last reply Reply Quote 0
          • planedropP
            planedrop @JonathanLee
            last edited by

            @JonathanLee Sure, and doing it over a VPN isn't a bad idea, I just personally think avoiding enabling SSH when at all possible is a good thing.

            JonathanLeeJ 1 Reply Last reply Reply Quote 0
            • JonathanLeeJ
              JonathanLee @planedrop
              last edited by

              @planedrop yes again if your managing many boxes and doing cyber security testing with VMs it's not really an option to disable it 100 percent

              Make sure to upvote

              L 1 Reply Last reply Reply Quote 0
              • L
                LesserBloops @JonathanLee
                last edited by

                Could System Patches possibly be preinstalled as a placeholder in the future, so that when looking for updates to apply, it'll appear in the average user's package list?

                I had no idea System_Patches existed until happening upon this thread, and if it's going to be used to deliver security updates, that seems important enough to install by default?

                GertjanG dennypageD 3 Replies Last reply Reply Quote 3
                • GertjanG
                  Gertjan @LesserBloops
                  last edited by

                  @LesserBloops

                  It had a special "Here a new pfSense package that might interest you" introduction last February on the main announcement channel, the pfSense Blogs, and the many (loads of) references here on the forum.
                  As such, it was also very visible here on the dashboard, the RSS feed which show the last xx blogs posts.
                  It's part of the pfSense package list, and the description is (should be) pretty self explaining :

                  18d9cad7-4c52-45f0-8c03-2c94dde381fc-image.png

                  Patches are are most often "quality of live" additions that can be applied by small (pfSense GUI) script changes.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  S 1 Reply Last reply Reply Quote 0
                  • S
                    SteveITS Galactic Empire @Gertjan
                    last edited by

                    @LesserBloops Also of note Netgate pins patches package update messages in https://forum.netgate.com/category/16/pfsense-packages.

                    If it's a security update fixed for an older version also they put it in the release notes: https://docs.netgate.com/pfsense/en/latest/releases/2-7-1.html#security

                    I've seen your suggestion posted before so Netgate's aware of it. However because of how the package functions it won't be that obvious anyway...the admin must update the package first in order to see the new list of patches. Otherwise only the original set is listed.

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage @LesserBloops
                      last edited by

                      @LesserBloops said in Netgate Security Advisory: CVE-2024-6387:

                      Could System Patches possibly be preinstalled as a placeholder in the future, so that when looking for updates to apply, it'll appear in the average user's package list?

                      This seems a reasonable suggestion.

                      1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @LesserBloops
                        last edited by

                        @LesserBloops said in Netgate Security Advisory: CVE-2024-6387:

                        I had no idea System_Patches existed until happening upon this thread

                        Yeah .... well, scrap what's I've said above.
                        I'll rephrase, and express my real opinion :
                        It must be a package, so when an update exists, it will get flagged on the dashboard as 'update == patches' exist. That's the great thing about the pfSense package system.
                        I was wondering : why isn't this build into pfSense directly ? But that would mean that there will be another thing to check, pfSense packages updates and patches updates. Another dashboard widget ?
                        So : upon pfSense installation : advise the user to pick this package ?
                        Or, don't signal the admin, and install the package without admin consent ?
                        Humm, maybe not ...

                        Right now, any package is installed with admin consent, as you have to install them 'ones'.

                        Parches proposed by this package are only mostly 'quality of live' amelioration. But ones in a while they are a must have, as it solves a real issue. Then the question doesn't exist anymore : people will find the forum for support, will find that there is a solution ... a patch, and so on ...

                        Real issues, like urgent software updates like (example) curl, unbound nginx etc etc (tyhese are not pfSense packages, but FreeBSD packages ! - or FreeBSD updates ported to their pfSense equivalent by Netgate ) are already getting updated using the command line ( SSH or console !! ) option 13.

                        @LesserBloops : I've got one for you : Auto update check, checks for updates to base system + packages and sends email alerts
                        "Install" that one also. You maybe not knowing it, but you need it 😊
                        Btw : you will need to install the Cron pfSense package.

                        This script file tells me, as I receive a mail, if anything has an upgrade waiting. Even pfSense itself.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 0
                        • M mwatch unpinned this topic on
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.