"Quote from: holunde on July 04, 2025, 12:18:17 PMI'm just wondering, why a release is coming out with these 2 new vulnerabilities?The PHP 8.3 vulnerabilities identified (CVE‑2025‑1220, CVE‑2025‑6491, CVE‑2025‑1735) were discovered and published after the release of 25.1.10. That means when the release was packaged, those PHP issues were still unknown and could not have been addressed in that version.
Currently running OPNsense 25.1.10 (amd64) at Fri Jul 4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2025-1220
CVE: CVE-2025-6491
CVE: CVE-2025-1735
WWW: https://vuxml.FreeBSD.org/geometry dash lite/d607b12c-5821-11f0-ab92-f02f7497ecda.html
sudo-1.9.17 is vulnerable:
sudo -- privilege escalation vulnerability through host and chroot options
CVE: CVE-2025-32463
CVE: CVE-2025-32462
WWW: https://vuxml.freebsd.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html
2 problem(s) in 2 installed package(s) found.
***DONE***
The sudo issues (CVE‑2025‑32462 and CVE‑2025‑32463) are flagged by the vulnerability scanner, but as the forum explains, these are not applicable in typical OPNsense configurations. OPNsense doesn't usually permit SSH users with sudo rights who aren't already root or privileged. Therefore, in most setups, the risk is negligible.
