Text only | Text with Images

OPNsense Forum

English Forums => 25.7 Series => Topic started by: muchacha_grande on August 01, 2025, 12:29:33 AM

Title: Vulnerability detected in security audit
Post by: muchacha_grande on August 01, 2025, 12:29:33 AM
Hi,
Since 25.7 upgrade I'm seeing a vulnerability in the security audit:


***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.1_1 (amd64) at Thu Jul 31 19:10:25 -03 2025
Fetching vuln.xml.xz: .......... done
libxslt-1.1.43_1 is vulnerable:
  libxslt -- unmaintained, with multiple unfixed vulnerabilities
  CVE: CVE-2025-7425
  CVE: CVE-2025-7424
  WWW: https://vuxml.FreeBSD.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html


I've upgraded another box and it passes the audit so I think that "libxslt" must be used by a plugin installed only on the first router.
Then I reinstalled the package and showed this message:

=====
Message from libxslt-1.1.43_1:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

unmaintained with multiple unfixed security vulnerabilities.

It is scheduled to be removed on or after 2025-09-12.
-----------------------------------------------------------

I'm using these plugins: os-acme-client, os-ftp-proxy, os-nextcloud-backup, os-nginx, os-strongswan-legacy and os-udpbroadcastrelay.
Title: Re: Vulnerability detected in security audit
Post by: muchacha_grande on August 01, 2025, 12:51:52 AM
Well, using "pkg info -r <package>" I've find out the plugin that is using libxslt is os-acme-client.

libxslt-1.1.43_1 -> py311-lxml5-5.4.0_2 -> py311-beautifulsoup-4.13.4_1 -> py311-dns-lexicon-3.21.1 -> os-acme-client-4.10
Title: Re: Vulnerability detected in security audit
Post by: sopex8260 on August 01, 2025, 01:21:50 AM
My two cents are that the issues are too minor to do anything at this point. Especially since libxslt got a new maintainer this week and it will be back and running soon enough.
Title: Re: Vulnerability detected in security audit
Post by: franco on August 01, 2025, 08:26:58 AM
The whole libxml/libxslt thing as a bit of "silly season" topic if you ask me. People being surprised open source exists that gets no funding and that maintainers are free to abandon their work at any time because of it. Then security researchers look closer and discover issues. ;)


Cheers,
Franco
Title: Re: Vulnerability detected in security audit
Post by: Cerberus on August 02, 2025, 01:06:43 PM
https://gitlab.gnome.org/GNOME/libxslt/-/issues/150
Title: Re: Vulnerability detected in security audit
Post by: BrandyWine on August 03, 2025, 02:39:59 AM
Quote from: franco on August 01, 2025, 08:26:58 AMThe whole libxml/libxslt thing as a bit of "silly season" topic if you ask me. People being surprised open source exists that gets no funding and that maintainers are free to abandon their work at any time because of it. Then security researchers look closer and discover issues. ;)


Cheers,
Franco
I want my free stuff fixed right now, not later, now. LOL ;)

If the CVE's are clear on the issue, then it shouldnt take too much for anyone to make some fixes on their own time. To me, to play on the open-source field means you need to know how to code. No whining or crying allowed on this field.....
Text only | Text with Images