Hi, i'm a newbie in opnsense. I had a security audit on the latest stable release from
http://opnsense.local/ui/core/firmware#status.
Opnsense report:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.4 (amd64) at Tue Oct 7 12:43:46 CEST 2025
vulnxml file up-to-date
openssl-3.0.17,1 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2025-9232
CVE: CVE-2025-9231
CVE: CVE-2025-9230
WWW: https://vuxml.FreeBSD.org/freebsd/00e912c5-9e92-11f0-bc5f-8447094a420f.html
1 problem(s) in 1 installed package(s) found.
***DONE***
Is there a way to fix this bug?
Wait for the next update and install it when it is published?
One is for S/MIME and we don't do emails.
One is for "no_proxy" env var use which is nowhere found in core. The docs suggest using it, but it still would need to be compromised by an attacker with root access in that case. Chances are practically zero that they would go for this particular problem?
One is for 64-bit ARM architectures. We only offer AMD64.
This is commercial grade support BTW.
Cheers,
Franco
Ok thanks. By the way, I told you I'm a complete OPNSense newbie, right?
That's ok, because we're here to help :)
Note that the scanner is for everyone so we are all aware and working towards shipping the fixes as soon as possible, which sometimes takes a bit longer for the strangest reasons.
In this case 25.7.5 is due tomorrow and fixes this.
Cheers,
Franco