Is there a plan to address CVE-2018-25032 / zlib for OS with OPNSense?
( https://nvd.nist.gov/vuln/detail/CVE-2018-25032 )
If so, any date for planned upgrade?
Thanks!
/var/etc/lighty-webConfigurator.conf:
...
## modules to load
server.modules = (
"mod_access", "mod_expire", "mod_deflate", "mod_redirect", "mod_setenv",
"mod_cgi", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_openssl"
)
...
# ldd /usr/local/lib/lighttpd/mod_deflate.so
/usr/local/lib/lighttpd/mod_deflate.so:
libz.so.6 => /lib/libz.so.6 (0x80065a000)
libc.so.7 => /lib/libc.so.7 (0x800260000)
(This appears to be a part of the core OS (buildworld) not from a pkg.)
Is the suggested path until there is a fix to disable mod_deflate from being loaded?
Thanks!
(I don't use OPNSense IPSEC/Strongswan, or OpenVPN so these were not included in my review.)
(I tried searching for this CVE in forums, but found no hits, so I created this post/thread/question.)
Looks like this is still developing since March 25 where it was publicly raised. I have no more info on this at the moment as FreeBSD src would have to release a security advisory for the base library and FreeBSD ports needs to update the zlib version or add the patch manually.
Cheers,
Franco
Thanks!
Notes for "22.1.5" include:
"
...
Due to popular demand the user experience for the revamped VLAN handling was improved in several areas. Also incuded are a larger Unbound MVC rework and DNS system route apply changes from one single spot. Last but not least the zlib vulnerability was fixed in FreeBSD amongst others.
...
src: zlib compression out-of-bounds write[9]
...
"
It looks like 22.1.5 notes say this CVE was addressed. Thanks!