Update NUT due to CVE-2012-2944
NUT can be remotely crashed as of CVE-2012-2944
Any objections updating the binary package from FreeBSD ports?
2.2.2 is quite dated by now (2008), what about updating to the 2.6 branch - including much improved UPS support.
#2 Updated by Jim Pingle about 7 years ago
- Status changed from New to Feedback
Updated binaries, reinstalled, works fine for me with my APC Back-UPS ES 450. I imagine it should work for others also.
However now I recall why we were on the old version. Versions of nut after 2.2.x no longer support internal network access restrictions. Instead they now rely on changing the interface binding and firewall rules.
When the new package code goes up here momentarily, any existing ACLs will break, and it will only bind to localhost.
The user can add a port forward from TCP port 3493 to localhost:3493 and regain access.
Also because the users can't be restricted by host any more, I changed the local status user to use a (somewhat) randomly generated password rather than "mypass" or else someone could have logged in with that (now global) user remotely if a NAT rule was added.
I went forward with the change anyhow due to the CVE.
#5 Updated by Jim Pingle about 7 years ago
I posted a HEADS UP message on the package forum.
Additional testing is always helpful. It Works For Me(tm) but I don't use it in a complex manner as some do.