> Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date,
and reboot the system.
Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.
epcoa•44m ago
Anyone relying on a 30+ year old monolith kernel written in C to not have some exploitable LPEs lurking should stay in basket weaving and out of sysadmin.
itsthefrank•37m ago
Not sure why the snark but if people are running FreeBSD then they should be...basket weaving instead of using it? Yes, the correct solution is to patch and reboot but not everyone is in a place to jump and do that which is why a temp workaround, if possible, would be welcome
cyberpunk•36m ago
Yep.
You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.
TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?
jmspring•16m ago
Stability of ecosystem. No systemd. Native ZFS. Jails over Docker. Been using it for 20+ years and it’s my preferred server OS.
cyberpunk•5m ago
No, I mean do you run FreeBSD boxes where users who should not ever assume root access actually login to do tasks?
My point is that if you do, you probably shouldn't run, for e.g applications which need production db credential, or hold sensitive data on these boxes, or .. whatever.
Edit: I use FreeBSD extensively, for various things -- but shell access to them is restricted to the sysadmins..
icedchai•3m ago
Same. I've been using it since 1996. Initially, we used it at an early ISP for DNS, SMTP, and POP3 for roughly 8K users, and it stuck with me.
skydhash•39m ago
Why can't they? Upgrading and rebooting is kinda the standard response for most security issues. So I would expect something like Ansible's playbooks for this exact scenario. You might also have it setup as a staggered rollout.
doublerabbit•43m ago
Linux is on their second and FreeBSD is on their first. How many is Windows on?
pjmlp•39m ago
Plenty, Microsoft has security teams whose job is to attack Windows.
Naturally they don't do blog posts about what they find.
hnlmorg•32m ago
You talk as if Windows is the only OS that has red teams attacking the system when clearly that isn’t even remotely true.
dwattttt•37m ago
If you think Linux is on their first or second, I'm not sure how or what you're counting.
doublerabbit•21m ago
> I'm not sure how or what you're counting.
The recent two. FailCopy and DirtyFrag and FreeBSD with Execve.
2 - Linux
1 - FreeBSD.
Of course, all OS have had past-time exploits. Three now have made the news.
cyberpunk•39m ago
This is from April 28th, it was patched in 15.0R-p7.
itsthefrank•35m ago
-p8 is the current patch level for 15.0-RELEASE so if people have been keeping on top of patching this is already two reboots in the past.
loeg•24m ago
Just yesterday, cperciva was bragging about the FreeBSD approach to security: https://news.ycombinator.com/item?id=48056853 You can argue the response here was well coordinated, but having an LPE in a core syscall like execve() isn't ideal.
broken-kebab•10m ago
Or in other words, the response is well-coordinated so cperciva's bragging is justified, isn't it?
bch•5m ago
Its like rain on your wedding day - not actually ironic, just unfortunate.
rvz•1h ago
> No workaround is available.
Oh dear.
itsthefrank•49m ago
> Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot the system.
Not everyone can just freebsd-update and reboot, so yes, "Oh dear." is a good response to this.
epcoa•44m ago
itsthefrank•37m ago
cyberpunk•36m ago
You should treat any system where non-admins regularly login as basically insecure/owned and rig your architecture appropriately.
TBH -- I don't have any of these kinds of boxes anymore. Who is really running anything like this in 2026 and for what purpose?
jmspring•16m ago
cyberpunk•5m ago
My point is that if you do, you probably shouldn't run, for e.g applications which need production db credential, or hold sensitive data on these boxes, or .. whatever.
Edit: I use FreeBSD extensively, for various things -- but shell access to them is restricted to the sysadmins..
icedchai•3m ago
skydhash•39m ago