Date: Thu, 4 Jul 2019 10:18:16 -0400 (EDT) From: Walter Cramer <wfc@mintsol.com> To: freebsd-security@freebsd.org Subject: ?Minor Security Issue - DNS, /etc/hosts, freebsd-update, ?pkg Message-ID: <20190704093847.U44480@mulder.mintsol.com> In-Reply-To: <20190703004928.525251A7DC@freefall.freebsd.org> References: <20190703004928.525251A7DC@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Suspected severity: Low. Systems with inattentive administrators may not receive the latest updates, and no obvious error messages will point out the problem. Situation discovered in: A few older 11.2-RELEASE FreeBSD systems, with /etc/hosts entries like this: 96.47.72.72 ftp.freebsd.org 96.47.72.71 pkg.freebsd.org (Those are now obsolete. Originally, they were added to simplify firewall rules and rule-loading, and as a DNS hijack defense.) Resulting problem: `freebsd-update fetch` sometimes "sees" the latest (11.2-RELEASE-p11) version of 11.2. Other times, it "sees" the older 11.2-RELEASE-p10. So, if a sysadmin relied on `freebsd-update` to tell him when systems needed updating, he could be unaware of un-patched, vulnerable systems. NOT verified: Whether the obsolete /etc/hosts entry for pkg.freebsd.org actually causes any problems. (Or if `pkg` is aware of the problem, and silently doing all the right things.) Suggested Fixes... - Have `freebsd-update`, `pkg`, and similar utilities double-check for DNS information that is obsolete or conflicting, and warn the user. - Have any obsolete - but still-active - pkg or update servers advertise their obsolete status, and `freebsd-update` and `pkg` notice that, and warn the user.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190704093847.U44480>