OPNsense Forum

English Forums => General Discussion => Topic started by: Greelan on January 27, 2021, 09:55:44 am

Title: [SOLVED] CVE-2021-3156
Post by: Greelan on January 27, 2021, 09:55:44 am

Appreciate that 21.1 is taking a lot of focus atm but was wondering about anticipated timing for the sudo patch for the above (significant) vulnerability making it into OPNsense? FreeBSD’s patch is out: https://svnweb.freebsd.org/ports?view=revision&revision=562997

Thanks for the great work as always

Title: Re: CVE-2021-3156
Post by: franco on January 27, 2021, 11:01:20 am

Very bad timing. Final build of 21.1 is being tested at the moment and we will not move the release date so 21.1.1 will have the fix which is likely 1-2 weeks from now unless we would throw away the work of the past couple of days and start fresh. :/


Cheers,
Franco

Title: Re: CVE-2021-3156
Post by: Greelan on January 27, 2021, 11:47:07 am

Yeah, I get that. Certainly wouldn’t want you to throw away all your work over the last few days!

Maybe a hotfix after 21.1 is out? I realise the vulnerability has been around for years but now everyone knows about it (not just the NSA, CCP and FSB ).

Title: Re: CVE-2021-3156
Post by: banym on January 27, 2021, 11:56:22 am

Yes as usual I think this will be addressed by a package update and a fixed release later.
I have not doubt in the good work of the opnsense core team.

As it is not a direct remote exploit it should be not that big of a deal for the upcomming release and fix afterwards.
Please correct me if I am wrong.

Title: Re: CVE-2021-3156
Post by: franco on January 27, 2021, 11:57:07 am

Maybe we can hotfix it on 20.7.8 this week since we hotfix that anyway for 21.1 upgrades. Which means 20.7.8 is "safer" than 21.1 for the time being... That's all I can promise right now given it causes no issues for upgrades.

Note that sudo is disabled by default...


Cheers,
Franco

Title: Re: CVE-2021-3156
Post by: Greelan on January 27, 2021, 11:58:00 am

Thanks Franco

Title: Re: CVE-2021-3156
Post by: franco on January 28, 2021, 02:52:57 pm

Ok, as promised... 20.7.8 is patched up but 21.1 can't follow before tomorrow.

In any case packages are compatible between versions 20.7 and 21.1 so that should manually patch up 21.1 for now:

# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/latest/Latest/sudo.txz


Cheers,
Franco

Title: Re: CVE-2021-3156
Post by: Greelan on January 28, 2021, 09:40:13 pm

Awesome, thanks again!