[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 03 Sep 2024 17:42:34 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701

--- Comment #65 from Gordon Tetlow <gordon@FreeBSD.org> ---
In reply to doktornotor from comment #64:
> Not sure about other people here suffering from the regressions, but I'd
> seriously appreciate some form of communication beyond automated
> commit-hook@ messages.
While I can't address the rest of this comment, in regards to more
communication, secteam will publish an erratum for this issue shortly. We are
letting it sit for a hot minute to ensure we don't have (additional) breakages.
As you can imagine, the last thing we want to do is issue an erratum for an
erratum.

There was also a question earlier from comment #40:
> How's this whole thing a security issue deserving an SA and urgent patching
> causing the above regressions which are impacting real network operation and
> many users, goes beyond me, sorry. 
As to the question of why the original "fix" was treated as a security advisory
– The issue was originally brought to us by an external researcher (as credited
in the SA-24:05.pf write up) as a security issue, so there was an anchoring
bias. secteam did have a debate internally as to whether it should be a
security advisory or an erratum. Ultimately, we decided to call it an SA due to
the fact that security software on the system was behaving in an unexpected way
and allowing things through that it shouldn't have. I, with my security-officer
hat on, stand by this decision and would likely make the same one given the
same facts today.

-- 
You are receiving this mail because:
You are the assignee for the bug.