when i ran a AUDIT on SECURITY a vulnerability popped up

[saki22]

I'm not sure this is a problem but I thought I should share it, if it is a problem
**GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
openssl-1.1.1h_1,1 is vulnerable:
OpenSSL -- NULL pointer de-reference
CVE: CVE-2020-1971
WWW: https://vuxml.freebsd.org/freebsd/1d56cfc5-3970-11eb-929d-d4c9ef517024.html

1 problem(s) in 1 installed package(s) found.
***DONE***

[franco]

Yes. I suspect everyone is seeing this. :)


Cheers,
Franco

[cmdr.adama]

Always the way just after you push a new version...

[franco]

Takes 2 days to release a full new version, mostly to build packages early on so no-go on OpenSSL rebuild at release day. ;)

Too risky for hotfix as well so we will probably have to pick this up next week.


Cheers,
Franco

[mimugmail]

Always the way just after you push a new version...

Better remove the self audit like with every other vendor where everyone just feels save, even after months of not updating? :)

[cmdr.adama]

Better remove the self audit like with every other vendor where everyone just feels save, even after months of not updating? :)

It would stop a lot of these posts ;)

Too risky for hotfix as well so we will probably have to pick this up next week.

Oh yeah, just inconvenient timing for announcing the CVE.

[saki22]

other prb pop up
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
curl-7.73.0 is vulnerable:
cURL -- Multiple vulnerabilities
CVE: CVE-2020-8286
CVE: CVE-2020-8285
CVE: CVE-2020-8284
WWW: https://vuxml.freebsd.org/freebsd/3c77f139-3a09-11eb-929d-d4c9ef517024.html

[mimugmail]

Guys .. I'm not sure if you already realized that OPNsense doesn't push updates for every single pkg?
The audit logs are for your own usage, the team updates the ports/pkgs and will release them with the next update.

That's the way every firewall vendors works, Sophos, Cisco, pfSense, Sonicwall and so on.

With your ongoing posts you are demotivating the staff and maybe get this useful source removed to stop the noise.

curl is just a downloader, if you see a CVE and you are paranoid, just don't use it?! If you see one for OpenSSL and you are paranoid, switch to Libre. Or just wait for an update.

If the update would be that critical there would be a hotfix, if there isn't one, it's not critical.

[saki22]

I thought share this well be helpful for dev to fix prb or issues

[franco]

Contrary to popular opinion the devs have OPNsense installations that enable them to click the security audit button every day. They also screen the FreeBSD ports for updates every day and look out for such security announcements in said vulnerability database.

The choice was to use the FreeBSD database instead of using our own copy. Using a copy would have made it harder to get such security information to users as quickly as possible.

Also we think that providing an unfiltered view on security issues in third party software is healthy.

Yes, we are still talking about third party software which we happen to use. Today there are over 100 third party packages and we expect some of those have security bugs every now and then.

And when they have and light up in the security audit you can be sure that the next update would fix them.

If not the release notes would probably state why.

In fact the security audit also contains links to full reports, if users are actually open to these risks and how to mitigate them.

That's all for now. ;)


Cheers,
Franco

[saki22]

I was trying to be helpful now I feel i was being a annoyance to the dev I apologize for being an annoyance to dev.