Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
packages with vulnerability
« previous
next »
Print
Pages: [
1
]
Author
Topic: packages with vulnerability (Read 997 times)
rickygm
Newbie
Posts: 42
Karma: 1
packages with vulnerability
«
on:
April 29, 2024, 04:23:24 am »
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1.6 at Sun Apr 28 20:20:29 CST 2024
vulnxml file up-to-date
ruby-3.1.4_1,1 is vulnerable:
ruby -- Arbitrary memory address read vulnerability with Regex search
CVE: CVE-2024-27282
WWW:
https://vuxml.FreeBSD.org/freebsd/2ce1a2f1-0177-11ef-a45e-08002784c58d.html
1 problem(s) in 1 installed package(s) found.
***DONE**
any idea how to fix them?
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: packages with vulnerability
«
Reply #1 on:
April 29, 2024, 10:32:46 am »
I'm not sure someone is feeding arbitrary untrusted data to ruby, but usually it takes a stable update fix this.. this is only for community plugins (iperf and tor).
Cheers,
Franco
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: packages with vulnerability
«
Reply #2 on:
April 29, 2024, 11:13:39 am »
Hmm, do you want to insinuate that ruby is the new xz?
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: packages with vulnerability
«
Reply #3 on:
April 29, 2024, 11:42:45 am »
I'm merely paraphrasing the link:
If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings.
Logged
rickygm
Newbie
Posts: 42
Karma: 1
Re: packages with vulnerability
«
Reply #4 on:
April 29, 2024, 08:30:05 pm »
I think it would be good to remove a package from the repo that could affect security.
note: would I have to remove iperf to remove this package or can I directly remove ruby?
Logged
Patrick M. Hausen
Hero Member
Posts: 6807
Karma: 572
Re: packages with vulnerability
«
Reply #5 on:
April 29, 2024, 08:40:27 pm »
There is no externally supplied data fed to Ruby in OPNsense. So there is no vulnerability.
If you are logged in via SSH you can trigger a bug in Ruby by supplying suitably crafted data and then read information from the running Ruby process with the privilege of the user that started the command in the first place. No privilege escalation, no remote code execution, nothing to see here.
Please don't freak out over CVEs but do a proper risk assessment. There will always be
some CVE
for a product with as many dependencies as OPNsense and an update cycle of two weeks.
«
Last Edit: April 30, 2024, 09:29:51 am by Patrick M. Hausen
»
Logged
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do.
(Isaac Asimov)
rickygm
Newbie
Posts: 42
Karma: 1
Re: packages with vulnerability
«
Reply #6 on:
April 29, 2024, 09:16:10 pm »
thank for information
Logged
chemlud
Hero Member
Posts: 2485
Karma: 112
Re: packages with vulnerability
«
Reply #7 on:
April 30, 2024, 08:56:46 am »
...todays patch is tomorrows bug... :-D
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: packages with vulnerability
«
Reply #8 on:
April 30, 2024, 02:17:22 pm »
Quote from: chemlud on April 30, 2024, 08:56:46 am
...todays patch is tomorrows bug... :-D
True, and perfect software is dead software.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
packages with vulnerability