The Stack Clash vulnerability

FreeBSD tends to be slower than other OS's on addressing security issues, I expect mainly down to having less developers.

Seems a fix is in CURRENT, but no idea when this will be pushed back to STABLE. It has happened at an awkward time as 11.1 is in the middle of been prepared for release so its possible they may want to wait for that to be released first.

This sysctl will partially mitigate the problem.

'security.bsd.unprivileged_proc_debug=0'
 
It has happened at an awkward time as 11.1 is in the middle of been prepared for release so its possible they may want to wait for that to be released first.
It's still in the BETA stage, and although there are code freezes important security fixes usually get implemented before the release.
 
A patch has been committed to HEAD: https://svnweb.freebsd.org/base?view=revision&revision=320317

It should have been MFC'ed already but apparently the issue is difficult to fix properly so it may take a little longer. There's also a lot of work being done with the impending release of 11.1. So I'm guessing they're somewhat pressed for time (there's only so much you can do in a day with a finite number of developers).
 
looks like its still not been backported to STABLE never mind 10.3 or 11.0 release, if required they should delay 11.1 for this as I consider security more important.
 
Still haven't seen fixes for this come through to 11.0 or 10.3 stable. We're edging on 2 months here. Anyone know what the hold up is?
 
FreeBSD 11.0 will probably not be patched. It's going to be EoL fairly soon (three months after the release of 11.1). So you're advised to upgrade to 11.1 instead.

Not sure about 10.3 though. I'm not sure if 10.3 will get patched, the patch may be incorporated into the upcoming 10.4.
 
ok, so upgrade to 10.4 in about a month it is then...

I have a lot of servers with 10.3 (it's about 120-ish servers...), with some jails) and PHP 5.5 - do you think I need to rebuild that particular quarterly cut with 10.4 - if it works at all?

Or can I just freebsd-update to 10.4 and leave everything else as-is?
 
I have a lot of servers with 10.3 (it's about 120-ish servers...), with some jails) and PHP 5.5 - do you think I need to rebuild that particular quarterly cut with 10.4 - if it works at all?
In general you don't need to rebuild everything after a minor upgrade. Won't hurt though. If you have that many servers I highly recommend setting up ports-mgmt/poudriere. Build once, install many. Poudriere will automatically rebuild everything after an upgrade of its build jails (I recommend just removing the old and create a new one though, less error-prone).
 
I've got a poudriere-server, yes.
Have been using it for quite some time (late 2012/early 2013, going by my builds).

Would be insane managing that many servers otherwise.
 
If you want to upgrade your servers to 10.4 I would recommend deleting the 'old' 10.3 jail in poudriere and create a new jail with the same name but using 10.4. Upgrading them in-place tends to be quite error-prone. Then run a new build run. Poudriere will detect the upgrade and clear existing packages to start fresh, as if poudriere bulk was started with the -c option set. This might be a bit unnecessary but it does ensure dependencies are all correct for 10.4.
 
I've never upgraded a build-jail. I only install the patches in them.
For new major versions, I usually make a new jail, with a new name. This requires me to change the repo-url on the servers, too - but that can be done with a script. So, it's not such a big deal.
 
Back
Top