Daily security email with pcre-8.38 vulnerabilities

[hervon]

I have been receiving this email for a couple of days for my current 9.10 stable FreeNAS:

Checking for packages with security vulnerabilities:
Database fetched: Tue Apr 5 03:37:18 EDT 2016
pcre-8.38

-- End of security output --

I checked for updates : no new updates. Verified my install : ok.

Should I worry ?

 

[gladroger]

I got the same messages.


SYND.local kernel log messages:

> Limiting open port RST response from 727 to 200 packets/sec Limiting

> open port RST response from 280 to 200 packets/sec Limiting closed

> port RST response from 201 to 200 packets/sec Limiting open port RST

> response from 911 to 200 packets/sec


Checking for packages with security vulnerabilities:

pcre-8.38

-- End of security output --

 

[mav@]

According to FreeBSD security report, if this vulnerability can really be exploited somehow on FreeNAS, it can be used for Denial of Service attack. Fix for it appeared in FreeBSD ports tree only few days ago. I don't think it is a reason to worry too much, since such situations are in fact quite often if you start to track them closely, but we'll consider it before the next software update.

 

[Codie]

most pcre vulnerabilities are pre 8.38 iirc according to https://www.cvedetails.com/vulnerability-list/vendor_id-3265/Pcre.html - the only one that wouldnt be pre 8.38 according to the site would be https://www.cvedetails.com/cve/CVE-2016-3191/ -- so examine it accordingly, and if you think it affects you/freenas ensure anything that uses PCRE 8.38 isnt exposed to the WAN til its updated(i assume this includes jails if they use the same pkg repo) - i dont know where/if pcre is used within FreeNAS but this is all the info i could grab on the respective information - FYI i think owncloud(jail) uses PCRE, so if you have an owncloud jail and expose it to the WAN/Internet this could be affected, and possibly affect FreeNAS in some way

(Edit)
when i checked the FreeNAS github i found it mentioned in the following locations:
src/pcbsd/warden/pluginjail-packages (mentions /devel/pcre)
nas_ports/ftp/proftpd/Makefile
nas_ports/security/sssd/Makefile
nas_ports/sysutils/syslog-ng/Makefile
all of the make files mention 'libpcre.so:${PORTSDIR}/devel/pcre \'

Now, im not sure how they use PCRE or if it would affect FreeNAS as a whole, but as far as those go if you use them double check to see if the vulnerability affects your setup; as far as each jail goes youll have to double check each one...google should help out on this, google the applications name and PCRE - if pcre is a dependency of it, it uses it somehow and if that part of the code is exposed to users could affect the jail which then could in turn affect the whole system in theory

 

[dlavigne]

Notes that mav reported this: https://bugs.freenas.org/issues/14488.