Upstream fixes missing?

tm_an

I'm a little worried now, that something went wrong, maybe locally at our side.
It's been 22 days since CVE-2020-25577 and CVE-2020-7469 were announced, with possible remote code execution affecting FreeBSD.
I was told, the fix is already in the pipeline, but I have checked frequently since, and have not seen any updates for 2.4.5-RELEASE-p1.

Can anyone shed some light on this? Is pfSense not affeccted, or is there some other reason for the delay? Or is my local update bugged?

Cheers,
Tobias

Gertjan

@tm_an said in Upstream fixes missing?:

Or is my local update bugged?

Easy to check. Visit System > Update System Update : does it say "up to date" ?
Visit System > Package Manager > Available Packages : does the list gets populated ? Do you receive package updates ones in a while ?
Visit SSH (console) : option 8 and " pkg update" : do you receive a :

pfSense repository is up to date.
All repositories are up to date.

About "CVE-2020-25577" : see for yourself : https://www.cybersecurity-help.cz/vdb/SB2020120118

The first one : local access is needed ..
The second part : a special ICMPv6 crafted package : you use IPv6 ? Accessible from the outside ? Normally, there are no WAN rules, that is, there will be one rule : block everything. Crafted, or not.

CVE-2020-7469 : somewhat the same thing : ICMPv6 : https://lists.freebsd.org/pipermail/freebsd-announce/2020-December/002000.html (take note that FreeBSD 11.3 isn't listed here which means there is no patch available or the issue doesn't exist for 11.3).

Anyway, it's an upstream FreeBSD issue.