?Minor Security Issue - DNS, /etc/hosts, freebsd-update, ?pkg
J. Hellenthal
jhellenthal at dataix.net
Fri Jul 5 17:22:48 UTC 2019
And in what revision besides an administrators local modifications
suggest that those werre ever a part of the source trree ?
For reference ...
https://svnweb.freebsd.org/base/stable/11/etc/hosts?view=log
Quite frankly the FreeBSD source committers are much more knowledged
thann your insight suggests...
Facts plz ...
On Thu, Jul 04, 2019 at 10:18:16AM -0400, Walter Cramer wrote:
> Suspected severity: Low. Systems with inattentive administrators may not
> receive the latest updates, and no obvious error messages will point out the
> problem.
>
> Situation discovered in: A few older 11.2-RELEASE FreeBSD systems, with
> /etc/hosts entries like this:
>
> 96.47.72.72 ftp.freebsd.org
> 96.47.72.71 pkg.freebsd.org
>
> (Those are now obsolete. Originally, they were added to simplify firewall
> rules and rule-loading, and as a DNS hijack defense.)
>
> Resulting problem: `freebsd-update fetch` sometimes "sees" the latest
> (11.2-RELEASE-p11) version of 11.2. Other times, it "sees" the older
> 11.2-RELEASE-p10. So, if a sysadmin relied on `freebsd-update` to tell him
> when systems needed updating, he could be unaware of un-patched, vulnerable
> systems.
>
> NOT verified: Whether the obsolete /etc/hosts entry for pkg.freebsd.org
> actually causes any problems. (Or if `pkg` is aware of the problem, and
> silently doing all the right things.)
>
> Suggested Fixes...
> - Have `freebsd-update`, `pkg`, and similar utilities double-check for DNS
> information that is obsolete or conflicting, and warn the user.
> - Have any obsolete - but still-active - pkg or update servers advertise
> their obsolete status, and `freebsd-update` and `pkg` notice that, and warn
> the user.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
--
The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 533 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20190705/c2057123/attachment.sig>
More information about the freebsd-security
mailing list