Hi,
Since 25.7 upgrade I'm seeing a vulnerability in the security audit:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.1_1 (amd64) at Thu Jul 31 19:10:25 -03 2025
Fetching vuln.xml.xz: .......... done
libxslt-1.1.43_1 is vulnerable:
libxslt -- unmaintained, with multiple unfixed vulnerabilities
CVE: CVE-2025-7425
CVE: CVE-2025-7424
WWW: https://vuxml.FreeBSD.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html
I've upgraded another box and it passes the audit so I think that "libxslt" must be used by a plugin installed only on the first router.
Then I reinstalled the package and showed this message:
=====
Message from libxslt-1.1.43_1:
--
===> NOTICE:
This port is deprecated; you may wish to reconsider installing it:
unmaintained with multiple unfixed security vulnerabilities.
It is scheduled to be removed on or after 2025-09-12.
-----------------------------------------------------------
I'm using these plugins: os-acme-client, os-ftp-proxy, os-nextcloud-backup, os-nginx, os-strongswan-legacy and os-udpbroadcastrelay.
Well, using "pkg info -r <package>" I've find out the plugin that is using libxslt is os-acme-client.
libxslt-1.1.43_1 -> py311-lxml5-5.4.0_2 -> py311-beautifulsoup-4.13.4_1 -> py311-dns-lexicon-3.21.1 -> os-acme-client-4.10
My two cents are that the issues are too minor to do anything at this point. Especially since libxslt got a new maintainer this week and it will be back and running soon enough.
The whole libxml/libxslt thing as a bit of "silly season" topic if you ask me. People being surprised open source exists that gets no funding and that maintainers are free to abandon their work at any time because of it. Then security researchers look closer and discover issues. ;)
Cheers,
Franco
https://gitlab.gnome.org/GNOME/libxslt/-/issues/150
Quote from: franco on August 01, 2025, 08:26:58 AMThe whole libxml/libxslt thing as a bit of "silly season" topic if you ask me. People being surprised open source exists that gets no funding and that maintainers are free to abandon their work at any time because of it. Then security researchers look closer and discover issues. ;)
Cheers,
Franco
I want my free stuff fixed right now, not later, now. LOL ;)
If the CVE's are clear on the issue, then it shouldnt take too much for anyone to make some fixes on their own time. To me, to play on the open-source field means you need to know how to code. No whining or crying allowed on this field.....
Quote from: BrandyWine on August 03, 2025, 02:39:59 AMQuote from: franco on August 01, 2025, 08:26:58 AMThe whole libxml/libxslt thing as a bit of "silly season" topic if you ask me. People being surprised open source exists that gets no funding and that maintainers are free to abandon their work at any time because of it. Then security researchers look closer and discover issues. ;)
Cheers,
Franco
I want my free stuff fixed right now, not later, now. LOL ;)
If the CVE's are clear on the issue, then it shouldnt take too much for anyone to make some fixes on their own time. To me, to play on the open-source field means you need to know how to code. No whining or crying allowed on this field.....
Many things are fortunately open source nowadays, not everyone needs to know how to code.
Quote from: sopex8260 on August 03, 2025, 11:17:45 AMMany things are fortunately open source nowadays, not everyone needs to know how to code.
If there's no paid support, then it's best to know how to code, that's what makes free open source so great. Free open source is not the same model as say Red Hat.
I think that's what Franco was getting at...... I may be wrong.
You can just "vibe code" the fixes and submit PRs. It's industry best practice now. Let's give the CEOs and investors what they want.
No, with open source being a commodity the train of thought is fixes are a commodity too. "Someone else's work and time" is worth nothing anymore.
I live and love open source, but that's exactly where we are now.
Cheers,
Franco
Imho that's not totally correct, as users here make donations from time to time. And you can re-use your effort for the commercial version of OPNsense.
What is missing is a path for steady revenue with open source software. I would be totally fine to pay (on free will) a certain, monthly amount of money (no paypal, no crypto...) to support some open source projects on the long run. As long as I have the feeling, my voice is heared and proposals are taken serious... :-)
I'm not going to fall for the argument that some people are awesome like that. Yes they are but that's besides the point. As a society I think we have failed open source and corporations are only spending reasonable amounts of money on open source when they are forced to.
At some point AI will answer your reports and try to fix bugs for you in software that is too integral to die but not worth the money to fund. When we are there we will know how good we had it the last two or three decades. ;)
Cheers,
Franco