FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
-
It looks like we have another major security issue to worry about.. Although I don't know if pfSense is already protected about it.
http://security.freebsd.org/advisories/FreeBSD-SA-14:08.tcp.asc
The workaround is to use pf (hey! we have this!). and set "scrub in all".
Looking at my /tmp/rules.debug I see: "scrub on $WAN all fragment reassemble"
Does anyone know if this is going to be the same? or how we go about changing it?
-
We're aware of it and have been discussing it internally. Between that and yet another OpenSSL SA (FreeBSD-SA-14:09.openssl), there is likely to be a 2.1.3.
Ermal pointed out that pf scrub does not do TCP reassembly so I'm not certain how viable that workaround may be in practice. We have scrub on by default so if that does help, then we aren't too exposed.
-
Thanks, I assumed you guys were working on it.. You'd take too much heat if you weren't.
I was just hoping this was an easy "Yep, you're good until a release happens".