CVE-2018-25032 , zlib,

Started by PerpetualNewbie, March 29, 2022, 03:54:38 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 29, 2022, 03:54:38 AM Last Edit: March 29, 2022, 10:20:23 AM by PerpetualNewbie
Is there a plan to address CVE-2018-25032 / zlib for OS with OPNSense?
( https://nvd.nist.gov/vuln/detail/CVE-2018-25032 )
If so, any date for planned upgrade?
Thanks!

/var/etc/lighty-webConfigurator.conf:
...
## modules to load
server.modules              = (
  "mod_access", "mod_expire", "mod_deflate", "mod_redirect", "mod_setenv",
  "mod_cgi", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_openssl"
)
...

# ldd /usr/local/lib/lighttpd/mod_deflate.so
/usr/local/lib/lighttpd/mod_deflate.so:
   libz.so.6 => /lib/libz.so.6 (0x80065a000)
   libc.so.7 => /lib/libc.so.7 (0x800260000)

(This appears to be a part of the core OS (buildworld) not from a pkg.)

Is the suggested path until there is a fix to disable mod_deflate from being loaded?

Thanks!

(I don't use OPNSense IPSEC/Strongswan, or OpenVPN so these were not included in my review.)
(I tried searching for this CVE in forums, but found no hits, so I created this post/thread/question.)
March 29, 2022, 02:31:37 PM #1
Looks like this is still developing since March 25 where it was publicly raised. I have no more info on this at the moment as FreeBSD src would have to release a security advisory for the base library and FreeBSD ports needs to update the zlib version or add the patch manually.


Cheers,
Franco
March 29, 2022, 03:04:03 PM #2
Thanks!
April 13, 2022, 09:57:33 AM #3
Notes for "22.1.5" include:
"
...
Due to popular demand the user experience for the revamped VLAN handling was improved in several areas. Also incuded are a larger Unbound MVC rework and DNS system route apply changes from one single spot. Last but not least the zlib vulnerability was fixed in FreeBSD amongst others.
...
src: zlib compression out-of-bounds write[9]
...
"
It looks like 22.1.5 notes say this CVE was addressed. Thanks!
Print
Go Up Pages1
User actions