Applying patches from FreeBSD Security Advisories



  • I've noticed a half dozen or so FreeBSD Security Advisories published since the pfSense 2.0.1 release in December 2011 but haven't been able to find any subsequent updates for pfSense. I'm running a CF-based nanobsd/embedded image on Alix hardware so a rebuild from source would be… slow. How does everyone keep their systems patched?



  • I'm far from a security expert, but I'd really question the need to do so. Look at the vulnerabilities, but by nature of being a firewall box and not really providing any kind of interface to attack it from the outside, I'd doubt most vulnerabilities in FreeBSD are relevant. Also, FreeBSD is far from an insecure or heavily attacked platform. People have been running FreeBSD machines with years of continuous uptime, and it's proven a very secure platform.

    Look at all the Linux SOHO routers that never get updated and are home to tons of underlying kernel vulnerabilities, but never any real-world attacks.

    Obviously none of what I just wrote applies if you're a high profile target with someone who wants to attack YOU. But random attackers will choose easy targets, which pfSense isn't.



  • We're working on an update to include those. They aren't really applicable, which is why we haven't put out updates sooner. Most FreeBSD security advisories don't apply to our use cases or are in components we don't include at all.



  • @al1x:

    I've noticed a half dozen or so FreeBSD Security Advisories published since the pfSense 2.0.1 release in December 2011 but haven't been able to find any subsequent updates for pfSense. I'm running a CF-based nanobsd/embedded image on Alix hardware so a rebuild from source would be… slow. How does everyone keep their systems patched?

    Here's a listing of all the vulnerabilities for the FreeBSD base system and another for vulnerabilities found in FreeBSD ports.

    The only one I see that might be of any relevance to pfSense users is the one for clamav, which is used in the HAVP (HTTP Antivirus Proxy) package, though there could be others.

    I run FreeBSD 9.0 on my other machines and haven't noticed a vulnerability that might effect my pfSense box during the few months I've been running it.



  • The vast majority of applicable issues are in ports outside the base system, like the clamav one noted, and those are updated completely separately from and have no relation to base system versions.



  • @markuhde:

    …by nature of being a firewall box and not really providing any kind of interface to attack it from the outside, I'd doubt most vulnerabilities in FreeBSD are relevant.

    Attacks are not limited to external sources/the outside.

    @markuhde:

    Also, FreeBSD is far from an insecure or heavily attacked platform. People have been running FreeBSD machines with years of continuous uptime, and it's proven a very secure platform.

    I agree that FreeBSD is a great platform. The purpose of a Security Advisory is to publicize and patch a known vulnerability. Unpatched systems can be and are compromised daily.

    @markuhde:

    …but never any real-world attacks.

    Where is this world you speak of? I know of no such place.

    @markuhde:

    Obviously none of what I just wrote applies if you're a high profile target with someone who wants to attack YOU. But random attackers will choose easy targets, which pfSense isn't.

    Any unpatched system is an easy target.



  • @cmb:

    The vast majority of applicable issues are in ports outside the base system, like the clamav one noted, and those are updated completely separately from and have no relation to base system versions.

    OpenSSL? crypt? pam? I haven't looked at them in depth but they would seem to be relevant.. no?

    @cmb:

    We're working on an update to include those.

    Cool. Thanks for the heads up! …I'm digging through the devwiki at the moment.



  • @al1x:

    OpenSSL? crypt? pam? I haven't looked at them in depth but they would seem to be relevant.. no?

    crypt applies strictly to DES hashing, which we don't use anywhere. The PAM one isn't applicable to anything we do. The OpenSSL one, we got a private heads up related to that which I can't discuss, but it's not something that's applicable in our use cases and there are other reasons it's been delayed until now (like the additional one on sysret, though local priv escalation generally isn't applicable either). Now that the sysret one is settled with the updated advisory this week, we'll have 2.0.2 out shortly.

    We have a good relationship with the FreeBSD security team and are always on top of security advisories. If/when there is ever a reason for a quick update, we'll put one out immediately.


Log in to reply