On Wed, Apr 14, 2021 at 11:44:06AM -0400, mike tancsa wrote: > I heard about this on the ISC stormcast podcast this AM, but I cant > quite make heads or tails of if/when what was patched with respect to > FreeBSD. > > https://www.forescout.com/company/blog/forescout-and-jsof-disclose-new-dns-vulnerabilities-impacting-millions-of-enterprise-and-consumer-devices/ > > They have a dhclient one I think is > https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc, > but the report somewhat ambiguously writes there is a new one ? > > "Table 3 – New vulnerabilities in NAME:WRECK. Rows are colored according > to the CVSS score: yellow for medium or high and red for critical." Yet > the CVE ref is the above SA 20:26?! So this is new or this is just a > paper talking about a bug patched last August ?
The paper's referencing a bug that's already fixed in all supported versions of FreeBSD. A lot of hand waving just for "nothing to see here, move along" if your systems are up-to-date. The commit that fixed the vulnerability is 8f594d4355a16f963e246be0b88b9fba8ad77049, made on 31 Aug 2020. That's over a half a year ago. Thanks, -- Shawn Webb Cofounder / Security Engineer HardenedBSD https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
signature.asc
Description: PGP signature