Core 149 to core 150

Security
1

Hello

I updated from core 149 to core 150 today on a raspberry pi, 4 days after it was released. Am I in any danger that there were exploits that could have compromised my system in those 4 days. Was there any security updates that put the system at risk?

Thanks

2

Hi @rustyhook ,

Updates should be installed as soon as possible. There were a lot of Updates before core 150 so updating later might have happend before and might happen again.

As stated in the blog ( https://blog.ipfire.org/ ) there were security issues.

You phrase that like there is a Firewall out there which can guarentee total security. There is not. So yes, you could get compromised in those 4 days or the next 4 days and so on. After all the weakest spot in a system is still human (like installing a malicious program with your own hands).

If you really want to assess the risk for ipfire use bugzilla and dig in for details:
https://bugzilla.ipfire.org

Sorry.

1 Like
3

If you look at the commits to the 4.14 kernel. You will see there were already security fixes that existed when core 148 and 149 were released. And since core 150 sat in testing for a few weeks, as it is 149 also had security fixes needed when it came out.

Is IPFire not secure in that it blocks all incoming ? From the kernel commits it was some dos and access to the rng that existed, since IPFire blocks incoming yet responds to icmp doesn’t this block any risk?

We may as well run testing branch since stable releases with exploits

4

Hi,

we need to distinguish between different types of security vulnerabilities here.

In case Core Update 150 fixed a security vulnerability which could be exploited remotely, IPFire systems were exposed to a risk of being compromised becoming greater as they stayed online without being patched. At the time of writing, I am unaware of such a vulnerability. However, I cannot guarantee there wasn’t any - not every security vulnerability gets a CVE assigned and is tracked like one.

Needless to say, we release Core Updates fixing RCEs as fast as possible. Since we are unable to test all exotic hardware or environments, we have to rely on testing feedback, thus delaying releases for usually about two weeks.

Running a testing release for security reasons would contradict the problem.

To sum it up: Please install released Core Updates as fast as possible. We will let you know if they fix vulnerabilities actively exploited in the wild.

Thanks, and best regards,
Peter Müller

1 Like