OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: comet on December 17, 2017, 07:26:22 am

Title: libxml2-2.9.4 is vulnerable
Post by: comet on December 17, 2017, 07:26:22 am

Got this on a router audit:

***GOT REQUEST TO AUDIT***
Fetching vuln.xml.bz2: .......... done
libxml2-2.9.4 is vulnerable:
libxml2 -- Multiple Issues
CVE: CVE-2017-9050
CVE: CVE-2017-9049
CVE: CVE-2017-9048
CVE: CVE-2017-9047
CVE: CVE-2017-8872
WWW: https://vuxml.FreeBSD.org/freebsd/76e59f55-4f7a-4887-bcb0-11604004163a.html

1 problem(s) in the installed packages found.
***DONE***

Title: Re: libxml2-2.9.4 is vulnerable
Post by: weust on December 17, 2017, 10:48:09 am

Saw that one too.

Title: Re: libxml2-2.9.4 is vulnerable
Post by: franco on December 17, 2017, 03:23:31 pm

Hi guys,

It's true. The database is provided via FreeBSD for your pleasure. Check the CVEs and mitigate if necessary.

You can install the port if you want to mitigate via the system and restart the appropriate services:

# opnsense-code tools ports
# cd /usr/ports/textproc/libxml2
# make
# make deinstall install

17.7.11 will fix this one for sure, but in general the vulnerabilities do not necessarily adhere to our release schedule. ;)


Cheers,
Franco