• I'm a little worried now, that something went wrong, maybe locally at our side.
    It's been 22 days since CVE-2020-25577 and CVE-2020-7469 were announced, with possible remote code execution affecting FreeBSD.
    I was told, the fix is already in the pipeline, but I have checked frequently since, and have not seen any updates for 2.4.5-RELEASE-p1.

    Can anyone shed some light on this? Is pfSense not affeccted, or is there some other reason for the delay? Or is my local update bugged?

    Cheers,
    Tobias


  • @tm_an said in Upstream fixes missing?:

    Or is my local update bugged?

    Easy to check. Visit System > Update System Update : does it say "up to date" ?
    Visit System > Package Manager > Available Packages : does the list gets populated ? Do you receive package updates ones in a while ?
    Visit SSH (console) : option 8 and " pkg update" : do you receive a :

    pfSense repository is up to date.
    All repositories are up to date.
    

    About "CVE-2020-25577" : see for yourself : https://www.cybersecurity-help.cz/vdb/SB2020120118

    The first one : local access is needed ..
    The second part : a special ICMPv6 crafted package : you use IPv6 ? Accessible from the outside ? Normally, there are no WAN rules, that is, there will be one rule : block everything. Crafted, or not.

    CVE-2020-7469 : somewhat the same thing : ICMPv6 : https://lists.freebsd.org/pipermail/freebsd-announce/2020-December/002000.html (take note that FreeBSD 11.3 isn't listed here which means there is no patch available or the issue doesn't exist for 11.3).

    Anyway, it's an upstream FreeBSD issue.