OPNsense Forum
Archive => 19.1 Legacy Series => Topic started by: spetrillo on June 02, 2019, 10:05:49 pm
-
Hello all,
I did a security audit of my system and its showing that Curl has multiple vulnerabilities. Is there a new pkg that addresses these?
Thanks,
Steve
-
There should be a new OPNsense release out shortly addressing this... Wednesday or Thursday.
Note we can't always keep up with all vulnerabilities all the time. Getting software into FreeBSD ports, building, QA, releasing already takes multiple days to conclude.
Cheers,
Franco
-
Agreed...and I was really not asking if there was an update but more if we could install the updated Curl, which looks to be available.
-
I would post instructions here but curl is deeply embedded into multiple software packages and updating it to a newer version without updating its reverse dependencies may be problematic. The update solves it because it builds all packages against the correct libraries and updates them accordingly.
Cheers,
Franco
-
Is this the same vulnerability in 19.7.4_?
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
expat-2.2.6_1 is vulnerable:
expat2 -- Fix extraction of namespace prefixes from XML names
WWW: https://vuxml.FreeBSD.org/freebsd/c5bd8a25-99a6-11e9-a598-f079596b62f9.html
curl-7.65.3 is vulnerable:
curl -- multiple vulnerabilities
CVE: CVE-2019-5482
CVE: CVE-2019-5481
WWW: https://vuxml.FreeBSD.org/freebsd/9fb4e57b-d65a-11e9-8a5f-e5c82b486287.html
2 problem(s) in the installed packages found.
***DONE***
-
vuxml will be updated in the next release:
https://github.com/opnsense/ports/commits/master
These messages are for you, not for OPNsense team, they will update the ports when updates are available. :)
-
vuxml is downloaded from a FreeBSD location so always at the latest version. The port is just a way to build the file and has no correlation with (our) port updates.
And no, it's not the same vulnerability. The thread in question is three months old and curl has a vulnerability every month or so. ;)
Cheers,
Franco
-
Ok, thanks - I only wondered as I had never run the audit report before and wanted to know what it did.