5 plugin vulnerabilities in 20.1.7

Started by cmdr.adama, June 06, 2020, 05:48:51 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 06, 2020, 05:48:51 PM
Hey guys,

Not sure if you are aware or not, there are 5 packages in 20.1.7 with current vulnerabilities.

How far away are we looking for 20.1.8?

Code Select
***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
clamav-0.102.2,1 is vulnerable:
clamav -- multiple vulnerabilities
CVE: CVE-2020-3341
CVE: CVE-2020-3327
WWW: https://vuxml.FreeBSD.org/freebsd/91ce95d5-cd15-4105-b942-af5ccc7144c1.html

libnghttp2-1.40.0 is vulnerable:
nghttp2 -- DoS vulnerability
CVE: CVE-2020-11080
WWW: https://vuxml.FreeBSD.org/freebsd/4bb56d2f-a5b0-11ea-a860-08002728f74c.html

unbound-1.10.0 is vulnerable:
unbound -- mutliple vulnerabilities
CVE: CVE-2020-12663
CVE: CVE-2020-12662
WWW: https://vuxml.FreeBSD.org/freebsd/a2cb7c31-9c79-11ea-a9c2-d05099c0ae8c.html

json-c-0.13.1_1 is vulnerable:
json-c -- integer overflow and out-of-bounds write via a large JSON file
CVE: CVE-2020-12762
WWW: https://vuxml.FreeBSD.org/freebsd/abc3ef37-95d4-11ea-9004-25fadb81abf4.html

gnutls-3.6.13_1 is vulnerable:
GnuTLS -- flaw in TLS session ticket key construction
CVE: CVE-2020-13777
WWW: https://vuxml.FreeBSD.org/freebsd/ef5b4f5f-a658-11ea-80d7-001cc0382b2f.html
June 06, 2020, 11:26:29 PM #1
Nothing to be worried about. Everybody has this button for security audit - even developers. The know about it.

@franco: feature request: add hint not to post security audits to forum and explain its use case
Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz (24 cores)
256 GB RAM, 300GB RAID1, 3x4 10G Chelsio T540-CO-SR
June 24, 2020, 10:29:55 PM #2
Any update?
June 25, 2020, 10:58:53 AM #3
Will be in 20.1.8 .. no worries.
June 27, 2020, 12:52:15 AM #4
Where is the dev branch for 20.1.8 ?

https://github.com/opnsense/core/tree/20.1.8
June 27, 2020, 06:48:51 AM #5
It will picked from master, why are you asking?
June 27, 2020, 12:11:12 PM #6
> Where is the dev branch for 20.1.8 ?

Let's bring some quick facts to that...

There is no dev branch for 20.1.8 in particular. All major release stable changes go to... drum roll... stable/20.1

https://github.com/opnsense/core/commits/stable/20.1

From there you can see that we have tags and that 20.1.7 is already 27 commits behind that branch following our efforts this week to release 20.1.8.

Due to an upgrade issue we haven't been able to narrow down we will not release 20.1.8, so there will be no tag for it.

https://twitter.com/opnsense/status/1276124128509153287

We appreciate the concern and nudging, but asking for something that isn't ready will not help. What helps is inspecting process that the project has established many years ago and going from there.

2020 is an interesting year for all of us and I am personally sorry for any inconvenience caused.


Cheers,
Franco
June 27, 2020, 01:04:58 PM #7
Thanks.  :)
June 28, 2020, 06:46:01 AM #8
Quote from: franco on June 27, 2020, 12:11:12 PM
Due to an upgrade issue we haven't been able to narrow down we will not release 20.1.8, so there will be no tag for it.

https://twitter.com/opnsense/status/1276124128509153287

We appreciate the concern and nudging, but asking for something that isn't ready will not help. What helps is inspecting process that the project has established many years ago and going from there.

2020 is an interesting year for all of us and I am personally sorry for any inconvenience caused.

Well.. Better off holding off the release until it's fixed :)

Thanks for keeping us up to date with what's going on... Thankfully I haven't found any real issues with 20.1.7 so it's not that critical waiting for the 20.1.8 update but I'm a tad crazy in the sense that I really like keeping things up to date.

2020 has indeed been crazy and we're only half way through.
July 02, 2020, 03:23:43 PM #9
It appears that 20.1.8 has been released.  Thx
Print
Go Up Pages1
User actions