name:wrek vulnerabilities ?

Shawn Webb shawn.webb at hardenedbsd.org
Wed Apr 14 16:21:01 UTC 2021


On Wed, Apr 14, 2021 at 11:44:06AM -0400, mike tancsa wrote:
> I heard about this on the ISC stormcast podcast this AM, but I cant
> quite make heads or tails of if/when what was patched with respect to
> FreeBSD.
> 
> https://www.forescout.com/company/blog/forescout-and-jsof-disclose-new-dns-vulnerabilities-impacting-millions-of-enterprise-and-consumer-devices/
> 
> They have a dhclient one I think is
> https://www.freebsd.org/security/advisories/FreeBSD-SA-20:26.dhclient.asc,
> but the report somewhat ambiguously writes there is a new one ?
> 
> "Table 3 – New vulnerabilities in NAME:WRECK. Rows are colored according
> to the CVSS score: yellow for medium or high and red for critical." Yet
> the CVE ref is the above SA 20:26?! So this is new or this is just a
> paper talking about a bug patched last August ?

The paper's referencing a bug that's already fixed in all supported
versions of FreeBSD. A lot of hand waving just for "nothing to see
here, move along" if your systems are up-to-date.

The commit that fixed the vulnerability is
8f594d4355a16f963e246be0b88b9fba8ad77049, made on 31 Aug 2020. That's
over a half a year ago.

Thanks,

-- 
Shawn Webb
Cofounder / Security Engineer
HardenedBSD

https://git.hardenedbsd.org/hardenedbsd/pubkeys/-/raw/master/Shawn_Webb/03A4CBEBB82EA5A67D9F3853FF2E67A277F8E1FA.pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20210414/054916b3/attachment.sig>


More information about the freebsd-security mailing list