[Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute)
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 03 Sep 2024 17:42:34 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280701 --- Comment #65 from Gordon Tetlow <gordon@FreeBSD.org> --- In reply to doktornotor from comment #64: > Not sure about other people here suffering from the regressions, but I'd > seriously appreciate some form of communication beyond automated > commit-hook@ messages. While I can't address the rest of this comment, in regards to more communication, secteam will publish an erratum for this issue shortly. We are letting it sit for a hot minute to ensure we don't have (additional) breakages. As you can imagine, the last thing we want to do is issue an erratum for an erratum. There was also a question earlier from comment #40: > How's this whole thing a security issue deserving an SA and urgent patching > causing the above regressions which are impacting real network operation and > many users, goes beyond me, sorry. As to the question of why the original "fix" was treated as a security advisory – The issue was originally brought to us by an external researcher (as credited in the SA-24:05.pf write up) as a security issue, so there was an anchoring bias. secteam did have a debate internally as to whether it should be a security advisory or an erratum. Ultimately, we decided to call it an SA due to the fact that security software on the system was behaving in an unexpected way and allowing things through that it shouldn't have. I, with my security-officer hat on, stand by this decision and would likely make the same one given the same facts today. -- You are receiving this mail because: You are the assignee for the bug.