Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
OPNsense Security vulnerabilities site
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNsense Security vulnerabilities site (Read 2338 times)
fsebera
Newbie
Posts: 38
Karma: 2
OPNsense Security vulnerabilities site
«
on:
January 11, 2022, 05:35:27 pm »
Is there a web site that shows known OPNsense security vulnerabilities?
Thank you
Frank
Logged
joeyboon
Newbie
Posts: 41
Karma: 2
Re: OPNsense Security vulnerabilities site
«
Reply #1 on:
January 11, 2022, 05:58:11 pm »
You can run a security scan on any OPNsense system under sytem -> firmware -> status -> run an audit -> Security. It will tell you the CVE's affecting your current system. For example mine gave me the follwing output:
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.10.1 (amd64/OpenSSL) at Tue Jan 11 17:57:29 CET 2022
vulnxml file up-to-date
nss-3.72 is vulnerable:
NSS -- Memory corruption
CVE: CVE-2021-43527
WWW:
https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html
ruby-2.7.4,1 is vulnerable:
rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
CVE: CVE-2021-41817
WWW:
https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html
rubygem-cgi -- buffer overrun in CGI.escape_html
CVE: CVE-2021-41816
WWW:
https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html
rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
CVE: CVE-2021-41819
WWW:
https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html
4 problem(s) in 2 installed package(s) found.
***DONE***
Is this what you are looking for?
Logged
fsebera
Newbie
Posts: 38
Karma: 2
Re: OPNsense Security vulnerabilities site
«
Reply #2 on:
January 11, 2022, 06:17:16 pm »
I think this is on the right track - It appears OPNsense.org is self-managing a publicly accessible database the firewall is referencing to determine what security issues exist on itself. - Right?
Logged
joeyboon
Newbie
Posts: 41
Karma: 2
Re: OPNsense Security vulnerabilities site
«
Reply #3 on:
January 11, 2022, 06:52:36 pm »
My guess (because I don't actually know) is that they just cross reference the installed packages with the publicly available CVE database and that they don't run a server themselves. But maybe someone else can enlighten us
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: OPNsense Security vulnerabilities site
«
Reply #4 on:
January 11, 2022, 08:04:46 pm »
We just use the FreeBSD package vulnerability database via pkg-audit utility which matches against the installed packages. It's run by FreeBSD and tailored for their ports. Sometimes there are (human) errors in these reports, but overall it works really well.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
OPNsense Security vulnerabilities site