Local root exploit



  • http://www.dslreports.com/forum/r23418065-WARNING-FreeBSD-78-users-Local-root-exploit-patch-out

    I really don't know a lot about freebsd, but since pfsense is based on it, is it a problem??

    Will it get patched?

    Thanks

    Alex



  • Not really an issue, since it pertains to non-root users getting root privs via a shell.  If you don't have sshd turned on in pfsense, this would not be an issue, I would think. Even if you DO, pfsense ssh access is usually to root anyway.



  • The current stable release (1.2.2) is on FreeBSD 7.0, which isn't affected. It's only local privilege escalation, which in the case of pfSense isn't really an issue - if you can log in, you have root, so there isn't anything to escalate.

    With that said, yes, as soon as the official fix is committed to FreeBSD, our snapshots for 1.2.3 and 2.0 will have the fix. As will the 1.2.3 final release, which is awaiting a patch for the SSL/TLS renegotiation issues that we've been expecting for weeks now, hopefully that will come out soon as well. That's the only thing holding up 1.2.3 right now.



  • @cmb:

    With that said, yes, as soon as the official fix is committed to FreeBSD, our snapshots for 1.2.3 and 2.0 will have the fix. As will the 1.2.3 final release, which is awaiting a patch for the SSL/TLS renegotiation issues that we've been expecting for weeks now, hopefully that will come out soon as well. That's the only thing holding up 1.2.3 right now.

    as you probably already know the SSL/TLS patches have been released by FreeBSD.



  • Yep, and the 1.2.3 release is actively being rolled.


Log in to reply