Eugene Grosbein
2020-Apr-21 19:28 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
21.04.2020 23:55, FreeBSD Security Advisories wrote:> ============================================================================> FreeBSD-SA-20:10.ipfw Security Advisory > The FreeBSD Project > > Topic: ipfw invalid mbuf handling[skip]> IV. Workaround > > No workaround is available. Systems not using the ipfw firewall are > not vulnerable.This is not true. The problem affects only seldom used rules matching TCP packets by list of TCP options (rules with "tcpoptions" keyword) and/or by TCP MSS size (rules with matching "tcpmss" keyword, don't mix with "tcp-setmss" action keyword). Systems not using "tcpoptions" nor "tcpmss" keywords to match TCP packets are not affected. For example, system using any of default templates (open/client/simple/closed/workstation) are not affected. Please consider re-checking this and adjusting the Advisory.
Ed Maste
2020-Apr-21 22:15 UTC
[FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-20:10.ipfw
On Tue, 21 Apr 2020 at 15:29, Eugene Grosbein <eugen at grosbein.net> wrote:> > 21.04.2020 23:55, FreeBSD Security Advisories wrote: > > ============================================================================> > FreeBSD-SA-20:10.ipfw Security Advisory > > The FreeBSD Project > > > > Topic: ipfw invalid mbuf handling > > [skip] > > > IV. Workaround > > > > No workaround is available. Systems not using the ipfw firewall are > > not vulnerable. > > This is not true. The problem affects only seldom used rules matching TCP packets > by list of TCP options (rules with "tcpoptions" keyword) and/or by TCP MSS size > (rules with matching "tcpmss" keyword, don't mix with "tcp-setmss" action keyword).I believe this is correct; what about this statement: No workaround is available. Systems not using the ipfw firewall, and systems that use the ipfw firewall but without any rules using "tcpoptions" or "tcpmss" keywords, are not affected.