1
24.1 Production Series / Security audit (23.10.3 Business Edition) reports fixed CVEs as not fixed?
« on: April 13, 2024, 11:43:14 am »
I ran a security audit and got this result:
Code: [Select]
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.10.3 at Sat Apr 13 11:37:48 CEST 2024
vulnxml file up-to-date
suricata-6.0.17 is vulnerable:
suricata -- multiple vulnerabilities
CVE: CVE-2024-23837
CVE: CVE-2024-24568
CVE: CVE-2024-23835
CVE: CVE-2024-23836
CVE: CVE-2024-23839
WWW: https://vuxml.FreeBSD.org/freebsd/979dc373-d27d-11ee-8b84-b42e991fc52e.html
openssl111-1.1.1w is vulnerable:
OpenSSL -- DoS in DH generation
CVE: CVE-2023-5678
WWW: https://vuxml.FreeBSD.org/freebsd/a5956603-7e4f-11ee-9df6-84a93843eb75.html
2 problem(s) in 2 installed package(s) found.
***DONE***
But according to https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/ the CVEs were already fixed in Suricata 6.0.16. So now I'm confused.