I ran a security audit and got this result:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.10.3 at Sat Apr 13 11:37:48 CEST 2024
vulnxml file up-to-date
suricata-6.0.17 is vulnerable:
suricata -- multiple vulnerabilities
CVE: CVE-2024-23837
CVE: CVE-2024-24568
CVE: CVE-2024-23835
CVE: CVE-2024-23836
CVE: CVE-2024-23839
WWW: https://vuxml.FreeBSD.org/freebsd/979dc373-d27d-11ee-8b84-b42e991fc52e.html
openssl111-1.1.1w is vulnerable:
OpenSSL -- DoS in DH generation
CVE: CVE-2023-5678
WWW: https://vuxml.FreeBSD.org/freebsd/a5956603-7e4f-11ee-9df6-84a93843eb75.html
2 problem(s) in 2 installed package(s) found.
***DONE***
But according to https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/ (https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/) the CVEs were already fixed in Suricata 6.0.16. So now I'm confused.
I run business as well. well was until the openssl vulnerabilities came about.
I have moved to community version until the latest business is released. should be this month I've read
Currently running OPNsense 24.1.5_3 at Sat Apr 13 06:19:32 EDT 2024
Fetching vuln.xml.xz: .......... done
openssl-3.0.13_2,1 is vulnerable:
OpenSSL -- Unbounded memory growth with session handling in TLSv1.3
CVE: CVE-2024-2511
WWW: https://vuxml.FreeBSD.org/freebsd/7c217849-f7d7-11ee-a490-84a93843eb75.html
The FreeBSD-bound database isn't optimal as it is "optimized" for FreeBSD ports use but people make mistakes while updating the vulnerability database is the root cause in a nut shell. It is what it is.
Cheers,
Franco