Date: Tue, 03 Sep 2024 17:42:34 +0000 From: bugzilla-noreply@freebsd.org To: net@FreeBSD.org Subject: [Bug 280701] FreeBSD-SA-24:05 fix breaks ICMP/ICMP6 states handling in pf firewall (ping, traceroute) Message-ID: <bug-280701-7501-HE3e9f8mLY@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-280701-7501@https.bugs.freebsd.org/bugzilla/> References: <bug-280701-7501@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D280701 --- Comment #65 from Gordon Tetlow <gordon@FreeBSD.org> --- In reply to doktornotor from comment #64: > Not sure about other people here suffering from the regressions, but I'd > seriously appreciate some form of communication beyond automated > commit-hook@ messages. While I can't address the rest of this comment, in regards to more communication, secteam will publish an erratum for this issue shortly. We a= re letting it sit for a hot minute to ensure we don't have (additional) breaka= ges. As you can imagine, the last thing we want to do is issue an erratum for an erratum. There was also a question earlier from comment #40: > How's this whole thing a security issue deserving an SA and urgent patchi= ng > causing the above regressions which are impacting real network operation = and > many users, goes beyond me, sorry.=20 As to the question of why the original "fix" was treated as a security advi= sory =E2=80=93 The issue was originally brought to us by an external researcher = (as credited in the SA-24:05.pf write up) as a security issue, so there was an anchoring bias. secteam did have a debate internally as to whether it should be a security advisory or an erratum. Ultimately, we decided to call it an SA du= e to the fact that security software on the system was behaving in an unexpected= way and allowing things through that it shouldn't have. I, with my security-off= icer hat on, stand by this decision and would likely make the same one given the same facts today. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-280701-7501-HE3e9f8mLY>