?Minor Security Issue - DNS, /etc/hosts, freebsd-update, ?pkg
Walter Cramer
wfc at mintsol.com
Thu Jul 4 14:23:25 UTC 2019
Suspected severity: Low. Systems with inattentive administrators may not
receive the latest updates, and no obvious error messages will point out
the problem.
Situation discovered in: A few older 11.2-RELEASE FreeBSD systems, with
/etc/hosts entries like this:
96.47.72.72 ftp.freebsd.org
96.47.72.71 pkg.freebsd.org
(Those are now obsolete. Originally, they were added to simplify firewall
rules and rule-loading, and as a DNS hijack defense.)
Resulting problem: `freebsd-update fetch` sometimes "sees" the latest
(11.2-RELEASE-p11) version of 11.2. Other times, it "sees" the older
11.2-RELEASE-p10. So, if a sysadmin relied on `freebsd-update` to tell
him when systems needed updating, he could be unaware of un-patched,
vulnerable systems.
NOT verified: Whether the obsolete /etc/hosts entry for pkg.freebsd.org
actually causes any problems. (Or if `pkg` is aware of the problem, and
silently doing all the right things.)
Suggested Fixes...
- Have `freebsd-update`, `pkg`, and similar utilities double-check for
DNS information that is obsolete or conflicting, and warn the user.
- Have any obsolete - but still-active - pkg or update servers advertise
their obsolete status, and `freebsd-update` and `pkg` notice that, and
warn the user.
More information about the freebsd-security
mailing list