OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: Jack V on April 17, 2017, 01:18:38 pm

Title: Curl and Bind vulnerable
Post by: Jack V on April 17, 2017, 01:18:38 pm

Its been a long time, thought I give OPNsense a try again. Looks very good and works great! :D

Did nobody else notice yet? Curl and Bind are vulnerable.

Code: [Select]

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.53.1 is vulnerable:
cURL -- out of buffer read
CVE: CVE-2017-7407
WWW: https://vuxml.FreeBSD.org/freebsd/04f29189-1a05-11e7-bc6e-b499baebfeaf.html

bind911-9.11.0P3 is vulnerable:
BIND -- multiple vulnerabilities
CVE: CVE-2017-3138
CVE: CVE-2017-3137
CVE: CVE-2017-3136
WWW: https://vuxml.FreeBSD.org/freebsd/c6861494-1ffb-11e7-934d-d05099c0ae8c.html

2 problem(s) in the installed packages found.
***DONE***


Title: Re: Curl and Bind vulnerable
Post by: franco on April 18, 2017, 07:18:56 am

This happens all the time. Of course we notice, but we don't control this database as it is fed via FreeBSD. Sometimes there is also a CVE but no fix available. Sometimes they happen right after a firmware release.

It's a way of tracking problems, giving visibility to you for vulnerability management beyond a mere update of OPNsense.

Both of these issues will be addressed with OPNsense 17.1.5 this week.

Between showing this info in advance or hiding it, we chose the former. :)