Project

General

Profile

Actions

Bug #12544

open

OpenSSH vulnerabilities

Added by Viktor Gurov 2 months ago. Updated about 2 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
2.5.2
Affected Architecture:

Actions #1

Updated by Kris Phillips 2 months ago

pfSense CE 2.6.0 and pfSense Plus 22.01 have OpenSSH-7.9p1 so they are also affected by this.

Actions #2

Updated by Jim Pingle 2 months ago

You cannot go by version number alone. FreeBSD typically carries patches for known vulnerabilities that don't bump the version number of OpenSSH in base. It's not even clear which if any of those are relevant to FreeBSD (e.g. the first one linked definitely isn't as it requires a custom experimental option), some of those may only affect the version in ports and/or portable OpenSSH which isn't in use either.

To say it's vulnerable would necessitate cross-referencing the version in the FreeBSD base tree with changes in OpenSSH made to address these. Only if the CVE is relevant and no fix is present in FreeBSD would it be a concern.

Actions #3

Updated by Kris Phillips about 2 months ago

Jim Pingle wrote in #note-2:

You cannot go by version number alone. FreeBSD typically carries patches for known vulnerabilities that don't bump the version number of OpenSSH in base. It's not even clear which if any of those are relevant to FreeBSD (e.g. the first one linked definitely isn't as it requires a custom experimental option), some of those may only affect the version in ports and/or portable OpenSSH which isn't in use either.

To say it's vulnerable would necessitate cross-referencing the version in the FreeBSD base tree with changes in OpenSSH made to address these. Only if the CVE is relevant and no fix is present in FreeBSD would it be a concern.

Either way, even if our current stable releases of both CE and pfSense Plus was vulnerable, which is a question mark, it definitely won't be when the version number bumps up with the next release.

Actions

Also available in: Atom PDF