missing security patches
- What is the current plan/strategy to keep the firewalla firmware stack up-to-date, especially with security and stability packages? I will send a private message separately with a more complete list.
- Is there any way to run a firewalla as a docker image to test packages/configs quickly without taking the risk of breaking's one primary router to the internet and have to reflash it? Alternatively, can we just use a raspberry pie (might not work for performance testing but might be ok for functional)
background:
- while considering installing podman (as a hardened alternative to docker) I noticed that firewalla's ubuntu build is missing problematic updates (for instance openssl : firewalla =18.04.5 vs ubunutu LTS 18.04.9).
- I remember someone warning about updating packages as it could lead to instabilities which I completely understand, however, this why it would make sense for firewalla to stay on top of each and every ubuntu packages updates and/or crowdsource the effort by providing a way to setup a test bed...
this is just an example for the openssl package:
openssl (1.1.1-1ubuntu2.1~18.04.9) bionic-security; urgency=medium
* SECURITY UPDATE: NULL pointer deref in signature_algorithms processing
- debian/patches/CVE-2021-3449-1.patch: fix NULL pointer dereference in
ssl/statem/extensions.c.
- debian/patches/CVE-2021-3449-2.patch: teach TLSProxy how to encrypt
<= TLSv1.2 ETM records in util/perl/TLSProxy/Message.pm.
- debian/patches/CVE-2021-3449-3.patch: add a test to
test/recipes/70-test_renegotiation.t.
- debian/patches/CVE-2021-3449-4.patch: ensure buffer/length pairs are
always in sync in ssl/s3_lib.c, ssl/ssl_lib.c,
ssl/statem/extensions.c, ssl/statem/extensions_clnt.c,
ssl/statem/statem_clnt.c, ssl/statem/statem_srvr.c.
- CVE-2021-3449
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 22 Mar 2021 07:42:42 -0400
openssl (1.1.1-1ubuntu2.1~18.04.8) bionic-security; urgency=medium
* SECURITY UPDATE: Integer overflow in CipherUpdate
- debian/patches/CVE-2021-23840-pre1.patch: add a new EVP error code in
crypto/err/openssl.txt, crypto/evp/evp_err.c,
include/openssl/evperr.h.
- debian/patches/CVE-2021-23840.patch: don't overflow the output length
in EVP_CipherUpdate calls in crypto/err/openssl.txt,
crypto/evp/evp_enc.c, crypto/evp/evp_err.c, include/openssl/evperr.h.
- CVE-2021-23840
* SECURITY UPDATE: Null pointer deref in X509_issuer_and_serial_hash()
- debian/patches/CVE-2021-23841.patch: fix Null pointer deref in
crypto/x509/x509_cmp.c.
- CVE-2021-23841
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 17 Feb 2021 07:35:54 -0500
openssl (1.1.1-1ubuntu2.1~18.04.7) bionic-security; urgency=medium
* SECURITY UPDATE: EDIPARTYNAME NULL pointer de-ref
- debian/patches/CVE-2020-1971-1.patch: use explicit tagging for
DirectoryString in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-2.patch: correctly compare EdiPartyName
in crypto/x509v3/v3_genn.c.
- debian/patches/CVE-2020-1971-3.patch: check that multi-strings/CHOICE
types don't use implicit tagging in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_dec.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-4.patch: complain if we are attempting
to encode with an invalid ASN.1 template in crypto/asn1/asn1_err.c,
crypto/asn1/tasn_enc.c, crypto/err/openssl.txt,
include/openssl/asn1err.h.
- debian/patches/CVE-2020-1971-5.patch: add a test for GENERAL_NAME_cmp
in test/v3nametest.c.
- debian/patches/CVE-2020-1971-6.patch: add a test for
encoding/decoding using an invalid ASN.1 Template in
test/asn1_decode_test.c, test/asn1_encode_test.c.
- CVE-2020-1971
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 02 Dec 2020 09:54:45 -0500
openssl (1.1.1-1ubuntu2.1~18.04.6) bionic-security; urgency=medium
* SECURITY UPDATE: ECDSA remote timing attack
- debian/patches/CVE-2019-1547.patch: for ECC parameters with NULL or
zero cofactor, compute it in crypto/ec/ec_lib.c.
- CVE-2019-1547
* SECURITY UPDATE: Fork Protection
- debian/patches/CVE-2019-1549.patch: ensure fork-safety without using
a pthread_atfork handler in crypto/include/internal/rand_int.h,
crypto/init.c, crypto/rand/drbg_lib.c, crypto/rand/rand_lcl.h,
crypto/rand/rand_lib.c, crypto/threads_none.c,
crypto/threads_pthread.c, crypto/threads_win.c,
include/internal/cryptlib.h, test/drbgtest.c.
- CVE-2019-1549
* SECURITY UPDATE: rsaz_512_sqr overflow bug on x86_64
- debian/patches/CVE-2019-1551.patch: fix an overflow bug in
rsaz_512_sqr in crypto/bn/asm/rsaz-x86_64.pl.
- CVE-2019-1551
* SECURITY UPDATE: Padding Oracle issue
- debian/patches/CVE-2019-1563.patch: fix a padding oracle in
PKCS7_dataDecode and CMS_decrypt_set1_pkey in crypto/cms/cms_env.c,
crypto/cms/cms_lcl.h, crypto/cms/cms_smime.c,
crypto/pkcs7/pk7_doit.c.
- CVE-2019-1563
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 27 May 2020 15:15:54 -0400
openssl (1.1.1-1ubuntu2.1~18.04.5) bionic-security; urgency=medium
* debian/patches/OPENSSL_malloc_init_hang.patch: make
OPENSSL_malloc_init() a no-op to remove a potential infinite loop that
can occur in some situations, such as with MySQL 5.7 on s390x.
-- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 12 Nov 2019 11:58:35 -0500
-
Thank you FF & Danny
We do push out security updates with different releases if the CVE impacts the core running code. We do actively monitor the various CVE (either from nice customers or from our own research).
If you are using services that are not the core, you should be able to update to the latest version using the apt tools; and in case if the update didn't work, a reboot should be able to fix everything.
I do know we are working on a small script for you to commit the above fix to the base image if needed, once that's ready, will share it here.
-
@Firewalla, what is the status of this?
Very concerning that we aren't able to patch the system quickly when it needs to be. Lack of ability to patch also limits your market coverage. Along with that, how do we backup the system to recover to a known good state should something corrupt the system in some fashion?
-
The ability to update your own packages is here https://help.firewalla.com/hc/en-us/articles/4406630307091-How-to-manually-upgrade-Linux-package-on-your-Firewalla-box
But in general, we do not recommend patching unless you know why the patch needs to be there.
Please sign in to leave a comment.
Comments
4 comments