OpenBSD Journal

Bug in PF for some -current users

Contributed by jose on from the missed-packets dept.

If you're an aggressive tracker of -current, you may have introduced a bug in your PF system. Daniel explains it in this post :
The problem described below only affects -current systems
updated within a recent, narrow time frame. 3.4-stable, 
3.4-release and earlier are NOT affected in any way.
Note this affects a pretty small number of people because of the small window of vulnerability in this bug, but the nature of it is serious. Most of you wont have to worry, but if you've been keeping -current on your firewall in the past week or so, read the message and make sure you're patched.

Thanks, Daniel.

(Comments are closed)

  1. By Anonymous Coward () on

    The link appears to be dead.

    1. By Anonymous Coward () on

      Works fine for me. In case it still doesn't work for you here's Google Group's Copy . Regards

  2. By bsdguy () on

    I just updated one of my OpenBSD systems last night with current and was setting up pf. I get to update again cool!!!

    1. By Anonymous Coward () on

      1.188 (bug) commited Thu Jan 22 13:32:00 2004 UTC
      1.189 (fix) commited Sun Jan 25 18:47:15 2004 UTC

  3. By Anonymous Coward () on

    Does not apply to snapshots before Thu Jan 22 (13:32:00 2004 UTC) or after Sun Jan 25 (18:47:15 2004 UTC). The I've been watching the USA mirror and from what I saw, Jan 20 and now Jan 27 snapshots available for i386. Those dates are outside the cut-off points, thank goodness. Special thanks goes out to the snapshot builders/mirrors for keeping the snapshots up-to-date (I see directory dates for the core packages of on Jan 27) - again just looking at the USA mirror...

  4. By Steve () on

    $ head -n 1 /usr/src/sbin/pfctl/pfctl_parser.c
    /* $OpenBSD: pfctl_parser.c,v 1.188 2004/01/22 13:32:00 henning Exp $ */

    I just installed a snapshot too, because I loathe building from source on this slow ass 75mhz sparcsation...

    1. By Anonymous Coward () on

      No worriest, you would still be compiling the vulnerable version anyways...:-)

  5. By pete gilman () on

    daniel said: "if you've been keeping -current on your firewall in the past week or so, read the message and make sure you're patched."

    if you keep -current *anything* on a production machine, you need to have your head examined.

    1. By Anonymous Coward () on

      We're running -current on ~20 production machines and
      had not a single problem with it for some years now. Read source-changes@ to know when big changes occur, test it on a development server, deploy it.

    2. By Anonymous Coward () on

      OMG is that true?
      Believe or not I had an entire site running under -current. Shit happens even under -stable, its just a matter of taste.

      1. By Kim () on

        You are pretty lucky to not have any major problems. Just read this thread:

        That guy couldn't login to his machine after upgrading to -current and Theo's response:

        It is precisely for this reason that we ask users to use snapshots.

        Big changes happen.

        1. By tedu () on

          that's because he failed to follow procedure. all the other developers who did had no trouble.


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]