I'm just wondering, why a release is coming out with these 2 new vulnerabilities?
Currently running OPNsense 25.1.10 (amd64) at Fri Jul 4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2025-1220
CVE: CVE-2025-6491
CVE: CVE-2025-1735
WWW: https://vuxml.FreeBSD.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html
sudo-1.9.17 is vulnerable:
sudo -- privilege escalation vulnerability through host and chroot options
CVE: CVE-2025-32463
CVE: CVE-2025-32462
WWW: https://vuxml.FreeBSD.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html
2 problem(s) in 2 installed package(s) found.
***DONE***
The PHP vulnerabilities came out after 25.1.10 was released. I did the check just after installation and they were not listed.
The sudo vulnerabilities are not applicable to OpnSense, because you do not have SSH users that do not also have root privileges - or at least, you should not have them.
25.7 is due to release on 2025-07-23 and I guess this will be fixed then.
Hi
Ok, that makes sense. Thanks for your reply!
Quote from: holunde on July 04, 2025, 12:18:17 PMI'm just wondering, why a release is coming out with these 2 new vulnerabilities?
Currently running OPNsense 25.1.10 (amd64) at Fri Jul 4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2025-1220
CVE: CVE-2025-6491
CVE: CVE-2025-1735
WWW: https://vuxml.FreeBSD.org/ (https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html)geometry dash lite (https://geometry-lite.io)/d607b12c-5821-11f0-ab92-f02f7497ecda.html (https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html)
sudo-1.9.17 is vulnerable:
sudo -- privilege escalation vulnerability through host and chroot options
CVE: CVE-2025-32463
CVE: CVE-2025-32462
WWW: https://vuxml.FreeBSD.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html
2 problem(s) in 2 installed package(s) found.
***DONE***
The PHP 8.3 vulnerabilities identified (CVE‑2025‑1220, CVE‑2025‑6491, CVE‑2025‑1735) were discovered and published after the release of 25.1.10. That means when the release was packaged, those PHP issues were still unknown and could not have been addressed in that version.
The sudo issues (CVE‑2025‑32462 and CVE‑2025‑32463) are flagged by the vulnerability scanner, but as the forum explains, these are not applicable in typical OPNsense configurations. OPNsense doesn't usually permit SSH users with sudo rights who aren't already root or privileged. Therefore, in most setups, the risk is negligible.
Quote from: holunde on July 04, 2025, 12:18:17 PMI'm just wondering, why a release is coming out with these 2 new vulnerabilities?
Currently running OPNsense 25.1.10 (amd64) at Fri Jul 4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2025-1220
CVE: CVE-2025-6491
CVE: CVE-2025-1735
WWW: https://vuxml.FreeBSD.org/ (https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html)poor bunny (https://poor-bunny.io/)/d607b12c-5821-11f0-ab92-f02f7497ecda.html (https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html)
sudo-1.9.17 is vulnerable:
sudo -- privilege escalation vulnerability through host and chroot options
CVE: CVE-2025-32463
CVE: CVE-2025-32462
WWW: https://vuxml.FreeBSD.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html
2 problem(s) in 2 installed package(s) found.
***DONE***
Your scanner output shows CVEs affecting php 8.3 and sudo on OPNsense. Sometimes releases include vulnerable package versions because disclosures and upstream patches arrive after a snapshot. Check OPNsense security advisories immediately and apply any package updates or hotfixes they publish. Meanwhile harden your box: disable unused PHP services, restrict sudo via sudoers, block external access to affected services, and back up configs. Monitor logs closely and subscribe to OPNsense security channels for prompt notifications and consider staged testing first.