On June 19, 2019 8:23:59 AM GMT+03:00, Theo de Raadt
wrote:
>Strahil Nikolov wrote:
>
>> I was wondering if CVE-2019-5598 is actually affecting openBSD. I'm
>> asking as FreeBSD is usually several versions behind and this one
>> might not affect PF in recent openBSD versions.
>
>https://www.openbsd.org/errata63.html#p031_pficmp
>
>031: SECURITY FIX: March 22, 2019 All architectures
>A state in pf could pass ICMP packets to a destination IP address
>that did not match the state.
>
>https://www.openbsd.org/errata64.html#p015_pficmp
>
>015: SECURITY FIX: March 22, 2019 All architectures
>A state in pf could pass ICMP packets to a destination IP address
>that did not match the state.
>
>You probably had trouble connecting the dots because the original
>report
>was March 19, fixed on March 20, released as errata + syspatch on March
>22. then we shipped the 6.5 release on May 1.
>
>So that means 6.5 shipped without the problem.
>
>FreeBSD finally release something on May 14.
>
>https://ftp.openbsd.org/pub/OpenBSD/patches/6.3/common/031_pficmp.patch.sig
>
>You may also find it hard to believe it took two nearly months for them
>to merge a fix from OpenBSD which applied with mininum fuzz, validate
>it, and then ship it to users. Also, that was done without mentioning
>that
>the fix was taken from an OpenBSD repair job which got done within 24
>hours
>of the initial report. Rah rah for themselves, I suppose.
Hi Theo,
Thanks for the reply.
Yes , I really missed that. I'm on 6.5 , so I'm good.
Good Job to all developers ! This speed is really impressive.
Best Regards,
Strahil Nikolov
