OPNsense Forum

Archive => 20.1 Legacy Series => Topic started by: zcutlip on June 15, 2020, 06:16:29 pm

Title: security audit shows 5 CVEs but no updates available
Post by: zcutlip on June 15, 2020, 06:16:29 pm

I think I'm fully up to date, running the following versions according to the dashboard:
- OPNsense 20.1.7-amd64
- FreeBSD 11.2-RELEASE-p20-HBSD
- OpenSSL 1.1.1g 21 Apr 2020

Checking for updates shows none available, but the security audit shows problems with the following packages:
- python37-3.7.7 (2 CVEs)
- libnghttp2-1.40.0
- unbound-1.10.0
- json-c-0.13.1_1

Is this expected. Should I be looking somewhere other than Firmware Updates in the Web UI to update these packages?

Thanks

Title: Re: security audit shows 5 CVEs but no updates available
Post by: mimugmail on June 16, 2020, 05:58:54 am

They will be included in 20.1.8 :)

Title: Re: security audit shows 5 CVEs but no updates available
Post by: cmdr.adama on June 16, 2020, 01:19:08 pm

I posted the same thing a couple of days ago and got this response from hbc..

Quote from: hbc on June 06, 2020, 11:26:29 pm

Nothing to be worried about. Everybody has this button for security audit - even developers. The know about it.

@franco: feature request: add hint not to post security audits to forum and explain its use case