Date: Thu, 17 Dec 2020 19:20:29 +0100 From: "Hartmann, O." <ohartmann@walstatt.org> To: freebsd-security@freebsd.org Cc: John-Mark Gurney <jmg@funkthat.com>, freebsd-current@freebsd.org, John Kennedy <warlock@phouka.net> Subject: Re: AMNESIA:33 and FreeBSD TCP/IP stack involvement Message-ID: <20201217192029.56f3d262@hermann.fritz.box> In-Reply-To: <20201210200250.GJ31099@funkthat.com> References: <20201209065849.47a51561@hermann.fritz.box> <20201210200250.GJ31099@funkthat.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Sig_/c9Tn1HDtoa+xvI1obhUV/Ot Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable > Hartmann, O. wrote this message on Wed, Dec 09, 2020 at 06:58 +0100: > > I've got a question about recently discovered serious > > vulnerabilities in certain TCP stack implementations, designated as > > AMNESIA:33 (as far as I could follow the recently made > > announcements and statements, please see, for instance, > > https://www.zdnet.com/article/amnesia33-vulnerabilities-impact-millions= -of-smart-and-industrial-devices/). > >=20 > > All mentioned open-source TCP stacks seem not to be related in any > > way with freeBSD or any derivative of the FreeBSD project, but I do > > not dare to make a statement about that. > >=20 > > My question is very simple and aimes towards calming down my > > employees requests: is FreeBSD potentially vulnerable to this newly > > discovered flaw (we use mainly 12.1-RELENG, 12.2-RELENG, 12-STABLE > > and 13-CURRENT, latest incarnations, of course, should be least > > vulnerable ...). =20 >=20 > I'd be surprised if FreeBSD is vulnerable to those flaws, but I cannot > make any official statement as there are too many to even start to > investigate them. >=20 > Also of note is that there were three other IP stacks that were NOT > vulnerable to ANY new security issues in that report as well, so it > isn't like the report found security vulnerability in every TCP/IP > stack they tested. >=20 > The best way to have confidence is to pay people to analyize and > verify that the FreeBSD TCP/IP stack is secure, just as it is w/ > any critical code that a company runs. >=20 Thank you very much for responding. I'll take all comments into consideration; I think one thing is clear, that even if I'd had to report that freeBSD is vulnerable, I'd have to wait for a pacth. Since my personal patch policy on RELENG for FreeBSD is to patch/update as fast as possible after a SA has been published, I'd have to wait for the patches. CURRENT and STABLE systems are updated frequently - on a weekly basis, if necessary. Kind regards, O. Hartmann --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iHUEARYIAB0WIQSy8IBxAPDkqVBaTJ44N1ZZPba5RwUCX9uhbQAKCRA4N1ZZPba5 R1JDAQCwYAyUkkbdOr9OOzD1JK1k1MSxLMgQDmy4sn6hnJolLgEAzM7kjbwyHtlU wWMbHNnbEcoH6aJI1xI4nRfEfTH/8Ak= =YWqh -----END PGP SIGNATURE----- --Sig_/c9Tn1HDtoa+xvI1obhUV/Ot--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20201217192029.56f3d262>