Print Page - Question about 2 vulnerabilities in 25.1.10

Title: Question about 2 vulnerabilities in 25.1.10
Post by: holunde on July 04, 2025, 12:18:17 PM

I'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul 4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2025-1220
CVE: CVE-2025-6491
CVE: CVE-2025-1735
WWW: https://vuxml.FreeBSD.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html

sudo-1.9.17 is vulnerable:
sudo -- privilege escalation vulnerability through host and chroot options
CVE: CVE-2025-32463
CVE: CVE-2025-32462
WWW: https://vuxml.FreeBSD.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***

Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: meyergru on July 04, 2025, 01:26:14 PM

The PHP vulnerabilities came out after 25.1.10 was released. I did the check just after installation and they were not listed.

The sudo vulnerabilities are not applicable to OpnSense, because you do not have SSH users that do not also have root privileges - or at least, you should not have them.

25.7 is due to release on 2025-07-23 and I guess this will be fixed then.

Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: holunde on July 04, 2025, 09:39:34 PM

Hi

Ok, that makes sense. Thanks for your reply!

OPNsense Forum

English Forums => 25.1, 25.4 Production Series => Topic started by: holunde on July 04, 2025, 12:18:17 PM