Hi everyone,
first of all, thank you to the OPNsense team and all contributors for the amazing work you're doing. We've been using OPNsense Business Edition for quite some time now, and we really appreciate the stability, the feature set, and the pace at which improvements and fixes are delivered. It's clear how much dedication goes into this project.
I have a small suggestion regarding the Security Advisories published on GitHub (for example: GHSA-h3vx-4q27-rc42). Currently, the advisories list only the fixed versions for the Community Edition. For users of the Business Edition, this can make it a bit difficult to determine whether a specific BE release is already patched.
To illustrate the issue:
The advisory above states that the vulnerability is fixed starting with CE version 26.1.7. At the time the advisory was published, Business Edition 26.4 was already available. Based on the version numbers alone, one might assume that 26.4 includes the fix — but in reality, the patch was only included in 26.4_6. This information can be pieced together from forum posts and release notes, but it's not immediately visible from the advisory itself.
It would be extremely helpful if the Security Advisories could also include the corresponding fixed versions for the Business Edition. This would avoid confusion and save users from having to search through release notes or forum threads to confirm whether their systems are protected.
I hope this suggestion is helpful. Thanks again for all your hard work — it's very much appreciated.