On Wed, Apr 14, 2021 at 11:44:06AM -0400, mike tancsa
wrote:> I heard about this on the ISC stormcast podcast this AM, but I cant
> quite make heads or tails of if/when what was patched with respect to
> FreeBSD.
>
>
https://www.forescout.com/company/blog/forescout-and-jsof-disclose-new-dns-vulnerabilities-impacting-millions-of-enterprise-and-consumer-devices/
>
> They have a dhclient one I think is
> https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc,
> but the report somewhat ambiguously writes there is a new one ?
>
> "Table 3 ? New vulnerabilities in NAME:WRECK. Rows are colored
according
> to the CVSS score: yellow for medium or high and red for critical."
Yet
> the CVE ref is the above SA 20:26?! So this is new or this is just a
> paper talking about a bug patched last August ?
The paper's referencing a bug that's already fixed in all supported
versions of FreeBSD. A lot of hand waving just for "nothing to see
here, move along" if your systems are up-to-date.
The commit that fixed the vulnerability is
8f594d4355a16f963e246be0b88b9fba8ad77049, made on 31 Aug 2020. That's
over a half a year ago.
Thanks,
--
Shawn Webb
Cofounder / Security Engineer
HardenedBSD
https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL:
<http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210414/054916b3/attachment.sig>