What is present advice about OpenSSH/SSH/SSHD cve-2024-6387

[alex303]

I also do not understand why people become angry so easy.

Because they dont understand that using opnsense is a privilege. The fact that opnsense offers so much for free is not enough for them. No. They want opnsense developers to respond to their emails or posts right away and fix bugs or implement features that they want immediately because product X or product Y already has those features. They literally act like a entitled spoiled brats. If their wishes are not fulfilled in timely matter, they either start bashing developers for being lazy and irresponsible or they "threat" that they will switch to alternative solution X or Y.

God forbid they make a donation or buy Deciso hardware when opnsense is working as expected.

When the community version support is not enough for one, go bui a business licence and escalate this on the support side.

Exactly. Or go use something else.

There are a lot of others that enjoy OPNsense and its high frequency patch releases and community.

Exactly. Im thankful for this wonderful piece of free software.

Who's getting angry? The only person in this discussion insulting others is @alex303.

Im getting angry. However, im not insulting anyone. Im sorry if you somehow recognized yourself in what i wrote.

[Monviech (Cedrik)]

I commit a lot to OPNsense. If it would be closed source I couldn't do that anymore.  :'(

Theres also lots of other comitters. Its great that its open source.

[Patrick M. Hausen]

I found that line insulting:

It might. World war 3 might happen tomorrow. See where im going with this ? This whole thing is so blown out of proportions its ridiculous.

And that one - not directed at myself, though:

Leave the IT space and go do something else.

And I stand by my verdict that VPN and SSH are ultimately equivalent technologies and in this specific setting layering does not buy you anything unless your outer layer is proven secure - which we probably both know does not exist outside of small theoretical example programs in universities. This is backed by 30 years of experience including consulting for state agencies.

An RCE in SSH or any VPN technology for that matter is the absolute worst case. I hope we can agree on that. And I did not see anyone in this thread demand Deciso fix it *now*.

After a more thorough assessment it seems to be the general consensus that FreeBSD can be considered safe unless proven otherwise. And we will get a patch next week.

The initial advisory by the FreeBSD security team might have been a bit overblown, but I understand and also fully support their better safe than sorry approach.

And last I also have a track record of 30 years of giving back to the FreeBSD project, and the OPNsense project more recently. Code, advocacy, donations, support, hosted two EuroBSDCons ...

If you want to chat about this over a beer or two - Dublin in September ;)

Kind regards,
Patrick

[chemlud]

Quote

    Leave the IT space and go do something else.

Full support, such comments are neither helpful nor serve any issue for the community. Hoped it would go uncommented.

The people aware of the shortcommings broadly accepted in everday life of "pros" should not leave the profession, but have more responsibility in decission making for further hard- and software security. The next few years will be a hard time for security on a global scale...

[Greg_E]

I bought 3 years of Business license, and intend to buy 3 more when that runs out. Also going to try and buy some hardware in the next 2 years, so not exactly a free-loader.

[Ground_0]

I am very grateful to be using the Community edition, and I deeply appreciate the forums.
Thank you to the devs and all who offer support in whatever form they can afford.