[SOLVED] CVE-2021-3156

[Greelan]

Appreciate that 21.1 is taking a lot of focus atm but was wondering about anticipated timing for the sudo patch for the above (significant) vulnerability making it into OPNsense? FreeBSD’s patch is out: https://svnweb.freebsd.org/ports?view=revision&revision=562997

Thanks for the great work as always

[franco]

Very bad timing. Final build of 21.1 is being tested at the moment and we will not move the release date so 21.1.1 will have the fix which is likely 1-2 weeks from now unless we would throw away the work of the past couple of days and start fresh. :/


Cheers,
Franco

[Greelan]

Yeah, I get that. Certainly wouldn’t want you to throw away all your work over the last few days!

Maybe a hotfix after 21.1 is out? I realise the vulnerability has been around for years but now everyone knows about it (not just the NSA, CCP and FSB ).

[banym]

Yes as usual I think this will be addressed by a package update and a fixed release later.
I have not doubt in the good work of the opnsense core team.

As it is not a direct remote exploit it should be not that big of a deal for the upcomming release and fix afterwards.
Please correct me if I am wrong.

[franco]

Maybe we can hotfix it on 20.7.8 this week since we hotfix that anyway for 21.1 upgrades. Which means 20.7.8 is "safer" than 21.1 for the time being... That's all I can promise right now given it causes no issues for upgrades.

Note that sudo is disabled by default...


Cheers,
Franco

[Greelan]

Thanks Franco

[franco]

Ok, as promised... 20.7.8 is patched up but 21.1 can't follow before tomorrow.

In any case packages are compatible between versions 20.7 and 21.1 so that should manually patch up 21.1 for now:

# pkg add -f https://pkg.opnsense.org/FreeBSD:12:amd64/20.7/latest/Latest/sudo.txz


Cheers,
Franco

[Greelan]

Awesome, thanks again!