Appreciate that 21.1 is taking a lot of focus atm but was wondering about anticipated timing for the sudo patch for the above (significant) vulnerability making it into OPNsense? FreeBSD's patch is out: https://svnweb.freebsd.org/ports?view=revision&revision=562997
Thanks for the great work as always
Very bad timing. Final build of 21.1 is being tested at the moment and we will not move the release date so 21.1.1 will have the fix which is likely 1-2 weeks from now unless we would throw away the work of the past couple of days and start fresh. :/
Cheers,
Franco
Yeah, I get that. Certainly wouldn't want you to throw away all your work over the last few days!
Maybe a hotfix after 21.1 is out? I realise the vulnerability has been around for years but now everyone knows about it (not just the NSA, CCP and FSB [emoji23]).
Yes as usual I think this will be addressed by a package update and a fixed release later.
I have not doubt in the good work of the opnsense core team.
As it is not a direct remote exploit it should be not that big of a deal for the upcomming release and fix afterwards.
Please correct me if I am wrong.
Maybe we can hotfix it on 20.7.8 this week since we hotfix that anyway for 21.1 upgrades. Which means 20.7.8 is "safer" than 21.1 for the time being... That's all I can promise right now given it causes no issues for upgrades.
Note that sudo is disabled by default...
Cheers,
Franco
Thanks Franco
Ok, as promised... 20.7.8 is patched up but 21.1 can't follow before tomorrow.
In any case packages are compatible between versions 20.7 and 21.1 so that should manually patch up 21.1 for now:
# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/latest/Latest/sudo.txz
Cheers,
Franco
Awesome, thanks again!