16
17.7 Legacy Series / How to address CVE-2017-1000254 on OpnSense
« on: October 08, 2017, 04:30:22 pm »
Here is audit log.
=============================================================
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.55.1 is vulnerable:
cURL -- out of bounds read
CVE: CVE-2017-1000254
WWW: https://vuxml.FreeBSD.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html
1 problem(s) in the installed packages found.
***DONE***
=============================================================
As per https://vuxml.FreeBSD.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html reference link in audit log, following are recommendations.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl to version 7.56.0
B - Apply the patch to your version and rebuild
C - Switch off FTP in CURLOPT_PROTOCOLS
Option#A Because I am new to opnSense, I am not sure if will break anything else.
Option#B This something beyond my ability at this point. I think someone form OPNSense developer team can do this.
Option#C I do not know how to do it. So far this seem to be easy/safe option.
Can someone advice me if I am approaching this correctly?
=============================================================
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.55.1 is vulnerable:
cURL -- out of bounds read
CVE: CVE-2017-1000254
WWW: https://vuxml.FreeBSD.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html
1 problem(s) in the installed packages found.
***DONE***
=============================================================
As per https://vuxml.FreeBSD.org/freebsd/ccace707-a8d8-11e7-ac58-b499baebfeaf.html reference link in audit log, following are recommendations.
RECOMMENDATIONS
We suggest you take one of the following actions immediately, in order of preference:
A - Upgrade curl to version 7.56.0
B - Apply the patch to your version and rebuild
C - Switch off FTP in CURLOPT_PROTOCOLS
Option#A Because I am new to opnSense, I am not sure if will break anything else.
Option#B This something beyond my ability at this point. I think someone form OPNSense developer team can do this.
Option#C I do not know how to do it. So far this seem to be easy/safe option.
Can someone advice me if I am approaching this correctly?