Strahil Nikolov <hunter86...@yahoo.com> wrote: > I was wondering if CVE-2019-5598 is actually affecting openBSD. I'm > asking as FreeBSD is usually several versions behind and this one > might not affect PF in recent openBSD versions.
https://www.openbsd.org/errata63.html#p031_pficmp 031: SECURITY FIX: March 22, 2019 All architectures A state in pf could pass ICMP packets to a destination IP address that did not match the state. https://www.openbsd.org/errata64.html#p015_pficmp 015: SECURITY FIX: March 22, 2019 All architectures A state in pf could pass ICMP packets to a destination IP address that did not match the state. You probably had trouble connecting the dots because the original report was March 19, fixed on March 20, released as errata + syspatch on March 22. then we shipped the 6.5 release on May 1. So that means 6.5 shipped without the problem. FreeBSD finally release something on May 14. https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig You may also find it hard to believe it took two nearly months for them to merge a fix from OpenBSD which applied with mininum fuzz, validate it, and then ship it to users. Also, that was done without mentioning that the fix was taken from an OpenBSD repair job which got done within 24 hours of the initial report. Rah rah for themselves, I suppose.
