Vulnerability detected in security audit

[muchacha_grande]

Hi,
Since 25.7 upgrade I'm seeing a vulnerability in the security audit:


***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.1_1 (amd64) at Thu Jul 31 19:10:25 -03 2025
Fetching vuln.xml.xz: .......... done
libxslt-1.1.43_1 is vulnerable:
  libxslt -- unmaintained, with multiple unfixed vulnerabilities
  CVE: CVE-2025-7425
  CVE: CVE-2025-7424
  WWW: https://vuxml.freebsd.org/freebsd/b0a3466f-5efc-11f0-ae84-99047d0a6bcc.html


I've upgraded another box and it passes the audit so I think that "libxslt" must be used by a plugin installed only on the first router.
Then I reinstalled the package and showed this message:

=====
Message from libxslt-1.1.43_1:

--
===>   NOTICE:

This port is deprecated; you may wish to reconsider installing it:

unmaintained with multiple unfixed security vulnerabilities.

It is scheduled to be removed on or after 2025-09-12.
-----------------------------------------------------------

I'm using these plugins: os-acme-client, os-ftp-proxy, os-nextcloud-backup, os-nginx, os-strongswan-legacy and os-udpbroadcastrelay.

[muchacha_grande]

Well, using "pkg info -r <package>" I've find out the plugin that is using libxslt is os-acme-client.

libxslt-1.1.43_1 -> py311-lxml5-5.4.0_2 -> py311-beautifulsoup-4.13.4_1 -> py311-dns-lexicon-3.21.1 -> os-acme-client-4.10

[sopex8260]

My two cents are that the issues are too minor to do anything at this point. Especially since libxslt got a new maintainer this week and it will be back and running soon enough.

[franco]

The whole libxml/libxslt thing as a bit of "silly season" topic if you ask me. People being surprised open source exists that gets no funding and that maintainers are free to abandon their work at any time because of it. Then security researchers look closer and discover issues. ;)


Cheers,
Franco

[Cerberus]

https://gitlab.gnome.org/GNOME/libxslt/-/issues/150