Text only | Text with Images

OPNsense Forum

English Forums => 25.1, 25.4 Series => Topic started by: holunde on July 04, 2025, 12:18:17 PM

Title: Question about 2 vulnerabilities in 25.1.10
Post by: holunde on July 04, 2025, 12:18:17 PM
I'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul  4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2025-1220
  CVE: CVE-2025-6491
  CVE: CVE-2025-1735
  WWW: https://vuxml.FreeBSD.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html

sudo-1.9.17 is vulnerable:
  sudo -- privilege escalation vulnerability through host and chroot options
  CVE: CVE-2025-32463
  CVE: CVE-2025-32462
  WWW: https://vuxml.FreeBSD.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: meyergru on July 04, 2025, 01:26:14 PM
The PHP vulnerabilities came out after 25.1.10 was released. I did the check just after installation and they were not listed.

The sudo vulnerabilities are not applicable to OpnSense, because you do not have SSH users that do not also have root privileges - or at least, you should not have them.

25.7 is due to release on 2025-07-23 and I guess this will be fixed then.
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: holunde on July 04, 2025, 09:39:34 PM
Hi

Ok, that makes sense. Thanks for your reply!
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: meyergru on November 10, 2025, 12:04:44 PM
1. The current CE version is 25.7.7_4, where this has long been patched.
2. As I wrote, the vulnerability never applied to OpnSense anyway - and I also explained why.
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: meyergru on November 23, 2025, 07:47:41 PM
It does not become any more true by repeating this. As pointed out, the PHP vulnerabilities were detected after the 25.1.10 release, so there never was "a release ship with fresh vulnerabilities still present" like you say.

The sudo vulnerabilities are not applicable to OpnSense, so they were a false alarm.

Anyway, 25.1.10 was long ago succeeded by 25.7.x, were the referenced vulnerabilities have been fixed.

So, what is your actual complaint? Not having updating to 25.7.7_4? That would be on you, I guess.
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: Patrick M. Hausen on November 23, 2025, 07:54:19 PM
Quote from: emeliaerick on November 23, 2025, 07:29:02 PMHopefully a follow-up patch drops soon, because seeing those CVEs right after updating doesn't inspire much confidence.

The followup patch is 25.7. 25.1 is long EOL. Complaining about vulnerabilities in EOL software is a bit strange, don't you think. But you do you.
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: franco on November 25, 2025, 01:32:43 PM
You both have been arguing with a bot :)
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: meyergru on November 25, 2025, 01:51:55 PM
Saw that only after it started advertising... damn AI slop.
Title: Re: Question about 2 vulnerabilities in 25.1.10
Post by: franco on November 25, 2025, 03:52:28 PM
It's pretty interesting. I'll try to delete it when I see embedded links, but they mostly stick random stuff on here or repost old forum messages and only go back later and add links everywhere they already posted.


Cheers,
Franco
Text only | Text with Images