Text only | Text with Images

OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: mcc85s on January 30, 2020, 08:58:33 PM

Title: CVE-2020-7450
Post by: mcc85s on January 30, 2020, 08:58:33 PM
Reporting a CVE surfacing after yestedays' update:

-----
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
pkg-1.12.0 is vulnerable:
pkg -- vulnerability in libfetch
CVE: CVE-2020-7450
WWW: https://vuxml.FreeBSD.org/freebsd/2af10639-4299-11ea-aab1-98fa9bfec35a.html

1 problem(s) in 1 installed package(s) found.
***DONE***
-----
Title: Re: CVE-2020-7450
Post by: franco on January 30, 2020, 09:16:55 PM
As said a number of times: posting vulnerability reports does not help because we all see the same thing. ;)
Title: Re: CVE-2020-7450
Post by: skyroute on January 31, 2020, 01:07:10 AM
It helps us, so we know this vulnerability affects this specific software and it's components. 
Title: Re: CVE-2020-7450
Post by: banym on January 31, 2020, 07:50:41 AM
That's what the audit function is for.
It reports to you that a known problem affects a package or software component on your system.

Since the developers are following the FreeBSD and HBSD projects very closely we can be sure that with the next tested and QA singed update the fixes will be included when everything still works as expected.

We can't complain about reaction time here so give them some time for QA and I am sure it will be addressed within the next updates. This helps to keep up a positive mentality within our community.
Title: Re: CVE-2020-7450
Post by: skyroute on January 31, 2020, 08:00:08 AM
Oh, i did not realized that's what 'Audit' function is for.
Thank you for pointing this out. This is super cool.
As far as positive mentality... could not agree with you more. This is a open source project. we get to use this software royalty free and I would not dare to be negative about any of this.

OPNsense has been a reliable software for quite some time. I trust it any time over ciso, juniper or whowawa... and I can't thank enough developers and every one who contribute to the project.

Damien
Title: Re: CVE-2020-7450
Post by: franco on January 31, 2020, 08:13:51 AM
I'm not against posting this info here, but it comes with a responsibility to either explain or ask question, not copy+paste. Because doing neither will only create confusion.

The timing is unfortunate. We need 4 days for a major release from build to finish including image testing and everything around announcements so a security issue can not be picked up earlier without postponing the release to next week, where we can do a 20.1.1 to address this much easier and quicker.

The particular issue should not be of concern here because feeding pkg manipulated URLs requires access to vital systems such as GUI access to firmware pages, config import or shell access and you should really be trusting the people who have these privileges. :)


Cheers,
Franco
Text only | Text with Images