regreSShion ? Says FreeBSD is not affected.

cracauer@ said:
So what's the deal with that glibc-only talk?
Click to expand...

"This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions ... We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001."
 

gitup release
cd /usr/src/secure/usr.sbin/sshd
make all
make install
service sshd restart


Before running these commands, the server version was "OpenSSH_9.6 FreeBSD-20240104," and after executing them, the server version updated to "OpenSSH_9.6 FreeBSD-20240701."

Is this the correct procedure?
 
sean137 said:

"This vulnerability is exploitable remotely on glibc-based Linux systems, where syslog() itself calls async-signal-unsafe functions ... We have not investigated any other libc or operating system; but OpenBSD is notably not vulnerable, because its SIGALRM handler calls syslog_r(), an async-signal-safer version of syslog() that was invented by OpenBSD in 2001."
Click to expand...

Hmmm. I wonder about my Macs. Apple didn't release a patch so far, I wonder whether one is coming.
 
Noticed that one yesterday on our main page (and worked myself thru the docs).
I don't think FreeBSD is not affected (only OpenBSD is apparently not affected), however the exploit paths as documented by Qualys may not work for FreeBSD, so people may have to search for some exploit paths that can work on FreeBSD. Anyway it's not funny.

It will take some time to break in, and I think one will see a number above 0 here while somebody tries:
10966 - IsJ 0:00.00 sshd: /usr/sbin/sshd [listener] 0 of 5-5 startups (
 
You must log in or register to reply here.
Back
Top