Re: FreeBSD-SA-25:12.rtsold.asc clarification needed

Hey,

> When I asked if patching the userland code was enough, you said no.

Sorry I must have misunderstood.

> Without rtsold if you have an interface that goes down and comes back
> up you likely will not get routes (including default) until the
> gateway performs its next timed transmission (typically 10 minutes.)

To my knowledge, rtsold sends out router solicitation, this is has
nothing to do with resolvconf, so actually I am not 100% sure I
understand how rtsold can be used in this RCE.

The domain search would be within the advertisement, and thus parsed by
rtsol and passed to resolvconf, this is where the RCE exploit could
take place.

In any case rtsold and rtsol are both used in SLAAC, and whether its
just one or them, or both of them play a part in the RCE, the
solution is the same. Rebooting if you can spare the minute downtime is
your best bet, if not netif restart should ensure the patch is applied.

Take care,
-- 
Polarian
Jabber/XMPP: polarian@icebound.dev