Re: Is CVE-2019-5598 affecting openbsd
On June 19, 2019 8:23:59 AM GMT+03:00, Theo de Raadt wrote: >Strahil Nikolov wrote: > >> I was wondering if CVE-2019-5598 is actually affecting openBSD. I'm >> asking as FreeBSD is usually several versions behind and this one >> might not affect PF in recent openBSD versions. > >https://www.openbsd.org/errata63.html#p031_pficmp > >031: SECURITY FIX: March 22, 2019 All architectures >A state in pf could pass ICMP packets to a destination IP address >that did not match the state. > >https://www.openbsd.org/errata64.html#p015_pficmp > >015: SECURITY FIX: March 22, 2019 All architectures >A state in pf could pass ICMP packets to a destination IP address >that did not match the state. > >You probably had trouble connecting the dots because the original >report >was March 19, fixed on March 20, released as errata + syspatch on March >22. then we shipped the 6.5 release on May 1. > >So that means 6.5 shipped without the problem. > >FreeBSD finally release something on May 14. > >https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig > >You may also find it hard to believe it took two nearly months for them >to merge a fix from OpenBSD which applied with mininum fuzz, validate >it, and then ship it to users. Also, that was done without mentioning >that >the fix was taken from an OpenBSD repair job which got done within 24 >hours >of the initial report. Rah rah for themselves, I suppose. Hi Theo, Thanks for the reply. Yes , I really missed that. I'm on 6.5 , so I'm good. Good Job to all developers ! This speed is really impressive. Best Regards, Strahil Nikolov
Re: Is CVE-2019-5598 affecting openbsd
Strahil Nikolov wrote: > I was wondering if CVE-2019-5598 is actually affecting openBSD. I'm > asking as FreeBSD is usually several versions behind and this one > might not affect PF in recent openBSD versions. https://www.openbsd.org/errata63.html#p031_pficmp 031: SECURITY FIX: March 22, 2019 All architectures A state in pf could pass ICMP packets to a destination IP address that did not match the state. https://www.openbsd.org/errata64.html#p015_pficmp 015: SECURITY FIX: March 22, 2019 All architectures A state in pf could pass ICMP packets to a destination IP address that did not match the state. You probably had trouble connecting the dots because the original report was March 19, fixed on March 20, released as errata + syspatch on March 22. then we shipped the 6.5 release on May 1. So that means 6.5 shipped without the problem. FreeBSD finally release something on May 14. https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig You may also find it hard to believe it took two nearly months for them to merge a fix from OpenBSD which applied with mininum fuzz, validate it, and then ship it to users. Also, that was done without mentioning that the fix was taken from an OpenBSD repair job which got done within 24 hours of the initial report. Rah rah for themselves, I suppose.
Is CVE-2019-5598 affecting openbsd
Hi All, I was wondering if CVE-2019-5598 is actually affecting openBSD. I'm asking as FreeBSD is usually several versions behind and this one might not affect PF in recent openBSD versions. Best Regards, Strahil Nikolov