Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - brueggemann

#1
Quote from: Patrick M. Hausen on May 10, 2025, 12:02:49 AMWhat exactly is the security relevant problem with any current version of OPNsense?

Probably nothing, it only affects services that are linked to liblzma and use the lzma_stream_decoder_mt function. After a quick and not representative research (searching for lzma_stream_decoder_mt and comparing the hit count to lzma_stream_decoder on github) the multithreaded variant is hardly used.
#2
OK, Thank you. Then I will wait for FreeBSD updating xz and after that for OPNsense to upgrade its FreeBSD base.
#3
25.1, 25.4 Production Series / xz / liblzma version
April 28, 2025, 03:58:31 PM
Hi, due to checking if vulnerable versions of xz are installed on our systems, I discovered that xz 5.4.5 / liblzma 5.4.5 is installed on our opnsense systems. Suprisingly there seems to be no package related to /usr/bin/xz, so I'm wondering, where it comes from:

$ xz --version
xz (XZ Utils) 5.4.5
liblzma 5.4.5

$ which xz
/usr/bin/xz

$ pkg which /usr/bin/xz
/usr/bin/xz was not found in the database

Version of OpnSense is: 25.1.5_5-amd64

xz 5.4.5 was released on Nov 1, 2023. So it is pretty old and IMHO should be upgraded.

We did a vulnerability check because of CVE-2025-31115 (https://tukaani.org/xz/threaded-decoder-early-free.html). Upstream released 5.8.1 to fix this issue.

So my questions are:
- Where does /usr/bin/xz come from?
- Would it be possible to roll out a current version of xz?

Regards,
Jan-Marten Brüggemann