Date: Thu, 10 Dec 2020 12:02:50 -0800 From: John-Mark Gurney <jmg@funkthat.com> To: "Hartmann, O." <ohartmann@walstatt.org> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: <20201210200250.GJ31099@funkthat.com> In-Reply-To: <20201209065849.47a51561@hermann.fritz.box> References: <20201209065849.47a51561@hermann.fritz.box>
next in thread | previous in thread | raw e-mail | index | archive | help
--lc9FT7cWel8HagAv Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > I've got a question about recently discovered serious vulnerabilities > in certain TCP stack implementations, designated as AMNESIA:33 (as far > as I could follow the recently made announcements and statements, > please see, for instance, > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions-o= f-smart-and-industrial-devices/). >=20 > All mentioned open-source TCP stacks seem not to be related in any way > with freeBSD or any derivative of the FreeBSD project, but I do not > dare to make a statement about that. >=20 > My question is very simple and aimes towards calming down my employees > requests: is FreeBSD potentially vulnerable to this newly discovered > flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE and 13-CURRENT, > latest incarnations, of course, should be least vulnerable ...). I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot make any official statement as there are too many to even start to investigate them. Also of note is that there were three other IP stacks that were NOT vulnerable to ANY new security issues in that report as well, so it isn't like the report found security vulnerability in every TCP/IP stack they tested. The best way to have confidence is to pay people to analyize and verify that the FreeBSD TCP/IP stack is secure, just as it is w/ any critical code that a company runs. --=20 John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not." --lc9FT7cWel8HagAv Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJf0n7pXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MEI1RTRGMTNDNzYyMDZDNjEyMDBCNjAy MDVGMEIzM0REMDA2QURBAAoJECBfCzPdAGraZMgQALCbs+t2NLfROQq4sNHSsQRr OwzBmU+fKQI24SqfafaPDc8RuxIKP7luyjrFdK2DfSAMBn1A7YaM2YCHHifczfFX aBhHSdlzGThLme18Cd8ckAQuULEJ7afGN1twDCVQ/8OC6fKBSl9S3ehv5XYGeveB sMeb28qeCEWzd9sYpR9AV0B4FK3I+pVeeMiArtkpXwzXINsnuYL5EExZtbIWyz9V L0DB5oiMp4sOFbXxqbxzcVLm3teWDpG8tqpEmPy3RNFOatfr7KFujb70A7mk2Fqg 6fKvRR4oDtiKlysF8Ql75tQISPfsTnwpbTnzEzk9KSge4tP7vQg4lXWASkoOG58T N64FseVD4uFW6JN2mqRL+WInv28Rl5ohTe5ePLBuW/VivnNgwRNdqt4WhjArrq+Z 87G/7UVvz1pZ3UDtzLpqZSo2c3Um3Z/4T64pJOoxU9aUPOMtXt6e0Ml5t8tJO3bv YBz49/JcHezLPWxY7SQx8lpU70aUipD6UJfhHJHKa5qO7DPRzEkPITRh6xVmvOnx DlZQkb5nt0GCqSTPBwhMH/xg+Yuxt0fQevrss+F7Rzf8Ip0vki9hb/bk0nC4ztCJ 0hpmJBggIXSpcW6ie83AI05cnsSE6lAbjqQlUT8kPEWjoCJ/xAsfyW8x/5j1DLV3 2wxG/qrWycPy684OecVW =9Y7G -----END PGP SIGNATURE----- --lc9FT7cWel8HagAv--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201210200250.GJ31099>