OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • How to address CVE-2017-1000254 on OpnSense
« previous next »
  • Print
Pages: [1]

Author Topic: How to address CVE-2017-1000254 on OpnSense  (Read 2442 times)

curioustech

  • Newbie
  • *
  • Posts: 15
  • Karma: 2
    • View Profile
How to address CVE-2017-1000254 on OpnSense
« on: October 08, 2017, 04:30:22 pm »
Here is audit log.
=============================================================
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.55.1 is vulnerable:
cURL -- out of bounds read
CVE: CVE-2017-1000254
WWW: https://vuxml.FreeBSD.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html

1 problem(s) in the installed packages found.
***DONE***
=============================================================

As per https://vuxml.FreeBSD.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html reference link in audit log, following are recommendations.

RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl to version 7.56.0
B - Apply the patch to your version and rebuild
C - Switch off FTP in CURLOPT_PROTOCOLS

Option#A Because I am new to opnSense, I am not sure if will break anything else.
Option#B This something beyond my ability at this point. I think someone form OPNSense developer team can do this.
Option#C I do not know how to do it. So far this seem to be easy/safe option.

Can someone advice me if I am approaching this correctly?
« Last Edit: October 08, 2017, 04:39:05 pm by curioustech »
Logged

bartjsmit

  • Hero Member
  • *****
  • Posts: 1538
  • Karma: 166
    • View Profile
Re: How to address CVE-2017-1000254 on OpnSense
« Reply #1 on: October 08, 2017, 06:30:35 pm »
This will only affect you if you use FTP to transfer files onto the OPNsense firewall itself. I can't think of any good reason to do so; all the OPNsense updates are fetched by http/s.

Bart...
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 13689
  • Karma: 1176
    • View Profile
Re: How to address CVE-2017-1000254 on OpnSense
« Reply #2 on: October 09, 2017, 09:47:54 am »
Hi there,

We never fetch from FTP in our source code. Check your URL aliases and Proxy ACL download links for "ftp:" prefix and disable or better replace.

We'll update cURL in 17.7.6, but it's not a priority because if the given CVE scope.


Cheers,
Franco
Logged

  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 17.7 Legacy Series »
  • How to address CVE-2017-1000254 on OpnSense
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2023 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy
    | XHTML | RSS | WAP2