Upstream fixes missing?
I'm a little worried now, that something went wrong, maybe locally at our side.
It's been 22 days since CVE-2020-25577 and CVE-2020-7469 were announced, with possible remote code execution affecting FreeBSD.
I was told, the fix is already in the pipeline, but I have checked frequently since, and have not seen any updates for 2.4.5-RELEASE-p1.
Can anyone shed some light on this? Is pfSense not affeccted, or is there some other reason for the delay? Or is my local update bugged?
Gertjan last edited by
Or is my local update bugged?
Easy to check. Visit System > Update System Update : does it say "up to date" ?
Visit System > Package Manager > Available Packages : does the list gets populated ? Do you receive package updates ones in a while ?
Visit SSH (console) : option 8 and " pkg update" : do you receive a :
pfSense repository is up to date. All repositories are up to date.
About "CVE-2020-25577" : see for yourself : https://www.cybersecurity-help.cz/vdb/SB2020120118
The first one : local access is needed ..
The second part : a special ICMPv6 crafted package : you use IPv6 ? Accessible from the outside ? Normally, there are no WAN rules, that is, there will be one rule : block everything. Crafted, or not.
CVE-2020-7469 : somewhat the same thing : ICMPv6 : https://lists.freebsd.org/pipermail/freebsd-announce/2020-December/002000.html (take note that FreeBSD 11.3 isn't listed here which means there is no patch available or the issue doesn't exist for 11.3).
Anyway, it's an upstream FreeBSD issue.