On June 19, 2019 8:23:59 AM GMT+03:00, Theo de Raadt <dera...@openbsd.org> wrote: >Strahil Nikolov <hunter86...@yahoo.com> wrote: > >> I was wondering if CVE-2019-5598 is actually affecting openBSD. I'm >> asking as FreeBSD is usually several versions behind and this one >> might not affect PF in recent openBSD versions. > >https://www.openbsd.org/errata63.html#p031_pficmp > > 031: SECURITY FIX: March 22, 2019 All architectures > A state in pf could pass ICMP packets to a destination IP address > that did not match the state. > >https://www.openbsd.org/errata64.html#p015_pficmp > > 015: SECURITY FIX: March 22, 2019 All architectures > A state in pf could pass ICMP packets to a destination IP address > that did not match the state. > >You probably had trouble connecting the dots because the original >report >was March 19, fixed on March 20, released as errata + syspatch on March >22. then we shipped the 6.5 release on May 1. > >So that means 6.5 shipped without the problem. > >FreeBSD finally release something on May 14. > >https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig > >You may also find it hard to believe it took two nearly months for them >to merge a fix from OpenBSD which applied with mininum fuzz, validate >it, and then ship it to users. Also, that was done without mentioning >that >the fix was taken from an OpenBSD repair job which got done within 24 >hours >of the initial report. Rah rah for themselves, I suppose.
Hi Theo, Thanks for the reply. Yes , I really missed that. I'm on 6.5 , so I'm good. Good Job to all developers ! This speed is really impressive. Best Regards, Strahil Nikolov