undefined | Better HN

0 pointsrvz12h ago0 comments

> IV. Workaround

> No workaround is available.

Oh dear.

0 comments

> V. Solution

> Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system.

Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.

epcoa12h ago

Anyone relying on a 30+ year old monolith kernel written in C to not have some exploitable LPEs lurking should stay in basket weaving and out of sysadmin.

cyberpunk12h ago

Yep.

You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.

TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?

3 more replies

itsthefrank12h ago

Not sure why the snark but if people are running FreeBSD then they should be...basket weaving instead of using it? Yes, the correct solution is to patch and reboot but not everyone is in a place to jump and do that which is why a temp workaround, if possible, would be welcome

1 more reply

yjftsjthsd-h11h ago

...as opposed to what, exactly? Linux is a 34 y.o. monolithic kernel in C, the BSDs are all forked from the same base (386BSD) of around the same age, XNU is 29 years old (and also heavily based on BSD code while also throwing in mach code) in C and other languages,...

1 more reply

skydhash12h ago

Why can't they? Upgrading and rebooting is kinda the standard response for most security issues. So I would expect something like Ansible's playbooks for this exact scenario. You might also have it setup as a staggered rollout.

paulddraper11h ago

What prevents it?

jeffrallen49m ago

IV. Workaround

Accept that everything is broken and terrible and yet somehow find a way to keep a sense of humor and smile about it.

tptacek11h ago

Does this vulnerability not rely on SUID binaries?

cperciva10h ago

I don't think so? It's a buffer overflow in the system call.

tptacek9h ago

I just read that it was spilling into argv or something and assumed the vector was somehow injecting arguments or something.

1 more reply

wolvoleo11h ago

Why? Just update.

ActorNightly1h ago

I really am starting to think that the level of technical understanding on HN is so low that when readers see an exploit like this, they imagine basically the cult classic movie "Hackers" in their heads where some guy hacks into any machine of their choosing.

j / k navigate · click thread line to collapse

0 comments

itsthefrank12h ago

> V. Solution

> Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system.

Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.

epcoa12h ago

Anyone relying on a 30+ year old monolith kernel written in C to not have some exploitable LPEs lurking should stay in basket weaving and out of sysadmin.

cyberpunk12h ago

Yep.

You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.

TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?

3 more replies

itsthefrank12h ago

1 more reply

yjftsjthsd-h11h ago

1 more reply

skydhash12h ago

paulddraper11h ago

What prevents it?