OPNsense Forum

English Forums => 26.1, 26,4 Series => Topic started by: wirehire on April 30, 2026, 03:40:21 PM

Title: Business Edition pf CVE-2026-7164
Post by: wirehire on April 30, 2026, 03:40:21 PM
Hey,

i saw that the community edition are become the fixes for several cve. What are with the business edition? give it the patches for 25.10 and for 26.4?

like CVE-2026-7164

greets
Title: Re: Business Edition pf CVE-2026-7164
Post by: franco on April 30, 2026, 04:53:27 PM
If the day had 32 hours things would be different but for now we have to settle for a business fix for tomorrow.

This is our usual strategy to start fixing community and then move to business and due to surprise timing coupled with lots of changes in critical areas (OS in particular) it isn't good to not follow the good strategy.


Cheers,
Franco
Title: Re: Business Edition pf CVE-2026-7164
Post by: wirehire on April 30, 2026, 08:25:13 PM
Franco, I really appreciate your work! There's no question about that. The only question was how critical this vulnerability is, and it currently appears that it doesn't need to be patched immediately. Is that correct?
Title: Re: Business Edition pf CVE-2026-7164
Post by: Patrick M. Hausen on April 30, 2026, 09:06:57 PM
Quote from: wirehire on April 30, 2026, 08:25:13 PMThe only question was how critical this vulnerability is, and it currently appears that it doesn't need to be patched immediately. Is that correct?

The most critical one in the latest lot is CVE-2026-7270, IMHO. Privilege escalation through execve(2). But since in the context of OPNsense we would need a remote code execution or a malicious actor with a shell account, first, I think it can safely be ignored for a couple of days.

CVE-2026-7164 can IMHO equally be ignored unless you have specific rules allowing IP protocol 132 (SCTP). Check your rule set for rules that do not specify the protocol explicitly as TCP, UDP or ICMP but use "any" instead. These are susceptible to a DoS attack. You might want to replace "*" with "TCP/UDP" if applicable.

HTH,
Patrick
Title: Re: Business Edition pf CVE-2026-7164
Post by: muchacha_grande on April 30, 2026, 10:58:47 PM
Quote from: Patrick M. Hausen on April 30, 2026, 09:06:57 PMCheck your rule set for rules that do not specify the protocol explicitly as TCP, UDP or ICMP but use "any" instead. These are susceptible to a DoS attack. You might want to replace "*" with "TCP/UDP" if applicable.

Thank you Patrick for pointing this out
Title: Re: Business Edition pf CVE-2026-7164
Post by: pfry on May 01, 2026, 12:47:18 AM
Something the Fortinets had that was rather nice was "session-helper" (ALG or protocol parsing) control - you could enable specific ALGs by protocol and port. (Interestingly, I don't see SCTP in my old config template.) Killing the SCTP ALG might be of limited use, though.
Title: Re: Business Edition pf CVE-2026-7164
Post by: franco on May 01, 2026, 11:32:02 AM
Taken care of in 26.4_6.


Cheers,
Franco
Title: Re: Business Edition pf CVE-2026-7164
Post by: wirehire on May 01, 2026, 11:37:39 AM
thanks franco,

you and your team are awesome!

Is it possible to release the CVE patches that have been backported for 25.10? There are still some users who haven't upgraded to 26.4 yet because they're still in the testing phase and the rollout hasn't started yet (since a lot has changed).

greets
Title: Re: Business Edition pf CVE-2026-7164
Post by: franco on May 01, 2026, 12:13:15 PM
opnsense-patch usually works for core/plugins. but older OS builds and ports updates are not supplied because in the past the tree moves too fast so things break when freezing repo state and building takes too long.


Cheers,
Franco
Title: Re: Business Edition pf CVE-2026-7164
Post by: wirehire on May 01, 2026, 12:52:32 PM
so as example on 25.10 , we can on the cli /shell opnsense-patch , as example the sctp cve ?

as i see , you are in germany, have a good free day and long weekend!
Title: Re: Business Edition pf CVE-2026-7164
Post by: franco on May 04, 2026, 10:52:08 AM
Thanks, I hope you had a nice one too.

> so as example on 25.10 , we can on the cli /shell opnsense-patch , as example the sctp cve ?

No, opnsense-patch can do core, plugins, update and installer hotfixing since these use scripting languages.

Ports and src need to be rebuilt, which takes a long time on top of managing historic branches, which is one of the reasons we're not attempting that.

In the average case you can get away with running a newer kernel from e.g. the 26.4 series in 25.10, but we tend not to recommend it for the off-chance that something is wrong since we don't have that in our test rotation. It's even possible to use community kernels in business versions as long as you make sure you're not loading a kernel that has less security issues patches than the business one.


Cheers,
Franco
Title: Re: Business Edition pf CVE-2026-7164
Post by: wirehire on May 15, 2026, 07:28:29 AM
thanks franco and the team. we are now updated all our firewall to 26.4 Business!

Work like a charme! very good work, thanks for your software !
Title: Re: Business Edition pf CVE-2026-7164
Post by: franco on May 18, 2026, 09:34:10 AM
happy to hear :)