> Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > > I've got a question about recently discovered serious > > vulnerabilities in certain TCP stack implementations, designated as > > AMNESIA:33 (as far as I could follow the recently made > > announcements and statements, please see, for instance, > > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-of-smart-and-industrial-devices/). > > > > All mentioned open-source TCP stacks seem not to be related in any > > way with freeBSD or any derivative of the FreeBSD project, but I do > > not dare to make a statement about that. > > > > My question is very simple and aimes towards calming down my > > employees requests: is FreeBSD potentially vulnerable to this newly > > discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE > > and 13-CURRENT, latest incarnations, of course, should be least > > vulnerable ...). > > I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot > make any official statement as there are too many to even start to > investigate them. > > Also of note is that there were three other IP stacks that were NOT > vulnerable to ANY new security issues in that report as well, so it > isn't like the report found security vulnerability in every TCP/IP > stack they tested. > > The best way to have confidence is to pay people to analyize and > verify that the FreeBSD TCP/IP stack is secure, just as it is w/ > any critical code that a company runs. > Thank you very much for responding. I'll take all comments into consideration; I think one thing is clear, that even if I'd had to report that freeBSD is vulnerable, I'd have to wait for a pacth. Since my personal patch policy on RELENG for FreeBSD is to patch/update as fast as possible after a SA has been published, I'd have to wait for the patches. CURRENT and STABLE systems are updated frequently - on a weekly basis, if necessary. Kind regards, O. Hartmann
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:26 UTC