OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: spetrillo on June 02, 2019, 10:05:49 pm

Title: Curl Vulnerability
Post by: spetrillo on June 02, 2019, 10:05:49 pm

Hello all,

I did a security audit of my system and its showing that Curl has multiple vulnerabilities. Is there a new pkg that addresses these?

Thanks,
Steve

Title: Re: Curl Vulnerability
Post by: franco on June 03, 2019, 04:40:44 pm

There should be a new OPNsense release out shortly addressing this... Wednesday or Thursday.

Note we can't always keep up with all vulnerabilities all the time. Getting software into FreeBSD ports, building, QA, releasing already takes multiple days to conclude.


Cheers,
Franco

Title: Re: Curl Vulnerability
Post by: spetrillo on June 03, 2019, 05:21:59 pm

Agreed...and I was really not asking if there was an update but more if we could install the updated Curl, which looks to be available.

Title: Re: Curl Vulnerability
Post by: franco on June 03, 2019, 05:39:44 pm

I would post instructions here but curl is deeply embedded into multiple software packages and updating it to a newer version without updating its reverse dependencies may be problematic. The update solves it because it builds all packages against the correct libraries and updates them accordingly.


Cheers,
Franco

Title: Re: Curl Vulnerability
Post by: Taomyn on September 18, 2019, 09:56:44 am

Is this the same vulnerability in 19.7.4_?

Code: [Select]

***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
expat-2.2.6_1 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/c5bd8a25-99a6-11e9-a598-f079596b62f9.html


curl-7.65.3 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5482
CVE: CVE-2019-5481
WWW: https://vuxml.FreeBSD.org/freebsd/9fb4e57b-d65a-11e9-8a5f-e5c82b486287.html


2 problem(s) in the installed packages found.
***DONE***

Title: Re: Curl Vulnerability
Post by: mimugmail on September 18, 2019, 11:16:40 am

vuxml will be updated in the next release:

https://github.com/opnsense/ports/commits/master

These messages are for you, not for OPNsense team, they will update the ports when updates are available. :)

Title: Re: Curl Vulnerability
Post by: franco on September 19, 2019, 01:38:03 pm

vuxml is downloaded from a FreeBSD location so always at the latest version. The port is just a way to build the file and has no correlation with (our) port updates.

And no, it's not the same vulnerability. The thread in question is three months old and curl has a vulnerability every month or so. ;)


Cheers,
Franco

Title: Re: Curl Vulnerability
Post by: Taomyn on September 19, 2019, 01:41:15 pm

Ok, thanks - I only wondered as I had never run the audit report before and wanted to know what it did.