OPNsense Forum
English Forums => General Discussion => Topic started by: Greelan on January 27, 2021, 09:55:44 am
-
Appreciate that 21.1 is taking a lot of focus atm but was wondering about anticipated timing for the sudo patch for the above (significant) vulnerability making it into OPNsense? FreeBSD’s patch is out: https://svnweb.freebsd.org/ports?view=revision&revision=562997
Thanks for the great work as always
-
Very bad timing. Final build of 21.1 is being tested at the moment and we will not move the release date so 21.1.1 will have the fix which is likely 1-2 weeks from now unless we would throw away the work of the past couple of days and start fresh. :/
Cheers,
Franco
-
Yeah, I get that. Certainly wouldn’t want you to throw away all your work over the last few days!
Maybe a hotfix after 21.1 is out? I realise the vulnerability has been around for years but now everyone knows about it (not just the NSA, CCP and FSB ).
-
Yes as usual I think this will be addressed by a package update and a fixed release later.
I have not doubt in the good work of the opnsense core team.
As it is not a direct remote exploit it should be not that big of a deal for the upcomming release and fix afterwards.
Please correct me if I am wrong.
-
Maybe we can hotfix it on 20.7.8 this week since we hotfix that anyway for 21.1 upgrades. Which means 20.7.8 is "safer" than 21.1 for the time being... That's all I can promise right now given it causes no issues for upgrades.
Note that sudo is disabled by default...
Cheers,
Franco
-
Thanks Franco
-
Ok, as promised... 20.7.8 is patched up but 21.1 can't follow before tomorrow.
In any case packages are compatible between versions 20.7 and 21.1 so that should manually patch up 21.1 for now:
# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/latest/Latest/sudo.txz
Cheers,
Franco
-
Awesome, thanks again!