OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • Curl Vulnerability
« previous next »
  • Print
Pages: [1]

Author Topic: Curl Vulnerability  (Read 6483 times)

spetrillo

  • Hero Member
  • *****
  • Posts: 721
  • Karma: 8
    • View Profile
Curl Vulnerability
« on: June 02, 2019, 10:05:49 pm »
Hello all,

I did a security audit of my system and its showing that Curl has multiple vulnerabilities. Is there a new pkg that addresses these?

Thanks,
Steve
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17703
  • Karma: 1616
    • View Profile
Re: Curl Vulnerability
« Reply #1 on: June 03, 2019, 04:40:44 pm »
There should be a new OPNsense release out shortly addressing this... Wednesday or Thursday.

Note we can't always keep up with all vulnerabilities all the time. Getting software into FreeBSD ports, building, QA, releasing already takes multiple days to conclude.


Cheers,
Franco
Logged

spetrillo

  • Hero Member
  • *****
  • Posts: 721
  • Karma: 8
    • View Profile
Re: Curl Vulnerability
« Reply #2 on: June 03, 2019, 05:21:59 pm »
Agreed...and I was really not asking if there was an update but more if we could install the updated Curl, which looks to be available.
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17703
  • Karma: 1616
    • View Profile
Re: Curl Vulnerability
« Reply #3 on: June 03, 2019, 05:39:44 pm »
I would post instructions here but curl is deeply embedded into multiple software packages and updating it to a newer version without updating its reverse dependencies may be problematic. The update solves it because it builds all packages against the correct libraries and updates them accordingly.


Cheers,
Franco
Logged

Taomyn

  • Sr. Member
  • ****
  • Posts: 444
  • Karma: 20
    • View Profile
Re: Curl Vulnerability
« Reply #4 on: September 18, 2019, 09:56:44 am »
Is this the same vulnerability in 19.7.4_?


Code: [Select]
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
expat-2.2.6_1 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/c5bd8a25-99a6-11e9-a598-f079596b62f9.html


curl-7.65.3 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5482
CVE: CVE-2019-5481
WWW: https://vuxml.FreeBSD.org/freebsd/9fb4e57b-d65a-11e9-8a5f-e5c82b486287.html


2 problem(s) in the installed packages found.
***DONE***
Logged

mimugmail

  • Hero Member
  • *****
  • Posts: 6767
  • Karma: 494
    • View Profile
Re: Curl Vulnerability
« Reply #5 on: September 18, 2019, 11:16:40 am »
vuxml will be updated in the next release:

https://github.com/opnsense/ports/commits/master

These messages are for you, not for OPNsense team, they will update the ports when updates are available. :)
Logged
WWW: www.routerperformance.net
Support plans: https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German): https://opnsense.max-it.de/

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17703
  • Karma: 1616
    • View Profile
Re: Curl Vulnerability
« Reply #6 on: September 19, 2019, 01:38:03 pm »
vuxml is downloaded from a FreeBSD location so always at the latest version. The port is just a way to build the file and has no correlation with (our) port updates.

And no, it's not the same vulnerability. The thread in question is three months old and curl has a vulnerability every month or so. ;)


Cheers,
Franco
Logged

Taomyn

  • Sr. Member
  • ****
  • Posts: 444
  • Karma: 20
    • View Profile
Re: Curl Vulnerability
« Reply #7 on: September 19, 2019, 01:41:15 pm »
Ok, thanks - I only wondered as I had never run the audit report before and wanted to know what it did.
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • Archive »
  • 19.1 Legacy Series »
  • Curl Vulnerability
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2