python -- several vulnerabilities CVE: CVE-2025-13836 CVE: CVE-2025-12084

[makman26]

Hello,
I am new here and have looked for an answer to my question but have been unable to. I have been getting this alert when I run the security checkup lately and I am not sure what to do. It states that it is inadvisable to update python on its own but I have been through a few minor upgrades and the issue still perists. I am on version 25.7.11_2
Thank you
Dave
Here is the full error.
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.11_2 (amd64) at Wed Jan 21 09:44:22 MST 2026
Fetching vuln.xml.xz: .......... done
python311-3.11.14 is vulnerable:
  python -- several vulnerabilities
  CVE: CVE-2025-13836
  CVE: CVE-2025-12084
  WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

1 problem(s) in 1 package(s) found.
***DONE***

[Patrick M. Hausen]

Wait for the next release which will probably address these issues. There is nothing you can do now.

[franco]

Python has not gone ahead with releasing a new version yet. It was met with a bit of irritation. For now it is what it is.


Cheers,
Franco

[realize]

Hi,

FYI
3.11.14_2 has been released yesterday which will fix the mentioned vulnerabilities:
https://vuxml.freebsd.org/freebsd/bfe9adc8-0224-11f1-8790-c5fb948922ad.html


best regards

realizelol

[nero355]

Which part of OPNsense uses Python exactly ?

I have started to seriously dislike it as a programming language over the last couple of years so I am really curious what it's purpose is :)

[franco]

The backend uses quite some Python for fetching and managing data.

We did fix the two _1 CVEs in 26.1.1 but apparently there is _2 with two new ones.  The circle of life.  ;)


Cheers,
Franco

[DEC740airp414user]

i am far more concerned about the openssl ones:

Fetching vuln.xml.xz: .......... done
openssl-3.0.18,1 is vulnerable:
  OpenSSL -- Multiple vulnerabilities
  CVE: CVE-2026-22796
  CVE: CVE-2026-22795
  CVE: CVE-2025-69421
  CVE: CVE-2025-69420
  CVE: CVE-2025-69419
  CVE: CVE-2025-69418
  CVE: CVE-2025-68160
  CVE: CVE-2025-66199
  CVE: CVE-2025-15469
  CVE: CVE-2025-15468
  CVE: CVE-2025-15467
  CVE: CVE-2025-11187
  WWW: https://vuxml.freebsd.org/freebsd/4b824428-fb93-11f0-b194-8447094a420f.html

python311-3.11.14 is vulnerable:
  python -- several vulnerabilities
  CVE: CVE-2025-13836
  CVE: CVE-2025-12084
  WWW: https://vuxml.freebsd.org/freebsd/613d0f9e-d477-11f0-9e85-03ddfea11990.html

  python -- several security vulnerabilities
  CVE: CVE-2026-0865
  CVE: CVE-2026-1299
  WWW: https://vuxml.freebsd.org/freebsd/bfe9adc8-0224-11f1-8790-c5fb948922ad.html

libsodium-1.0.19 is vulnerable:
  security/libsodium -- crypto_core_ed25519_is_valid_point mishandles checks for whether an elliptic curve point is valid
  CVE: CVE-2025-69277
  WWW: https://vuxml.freebsd.org/freebsd/583b63f5-ebae-11f0-939f-47e3830276dd.html

4 problem(s) in 3 package(s) found.

[franco]

Context business edition I presume?  We'll do 25.10.2 in the coming week.


Cheers,
Franco

[DEC740airp414user]

Context business edition I presume?  We'll do 25.10.2 in the coming week.


Cheers,
Franco

Yes Sir.  Thank you and the team  for keeping us secured

[franco]

25.10.2 is out since yesterday. We're planning for 26.1.2 at the end of this week to pick up the newer Python batch into community as well.


Cheers,
Franco