Security Audit: y39-setuptools-63.1.0 and openssl-1.1.1t_2,1

[z0rk]

I ran a security audit and got the following.

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.1.9 at Mon Jun  5 19:21:32 PDT 2023
vulnxml file up-to-date
openssl-1.1.1t_2,1 is vulnerable:
  OpenSSL -- Possible DoS translating ASN.1 identifiers
  CVE: CVE-2023-2650
  WWW: https://vuxml.FreeBSD.org/freebsd/eb9a3c57-ff9e-11ed-a0d1-84a93843eb75.html

py39-setuptools-63.1.0 is vulnerable:
  py39-setuptools -- denial of service vulnerability
  CVE: CVE-2022-40897
  WWW: https://vuxml.FreeBSD.org/freebsd/1b38aec4-4149-4c7d-851c-3c4de3a1fbd0.html

2 problem(s) in 2 installed package(s) found.
***DONE***

I've seen posts dating back to 2021/2022 that talk about similar or possibly the same issue. Is there any concern?

Thank you

[franco]

A lot to unpack...

> CVE-2023-2650

> I've seen posts dating back to 2021/2022 that talk about similar or possibly the same issue.

That seems unlikely.

> CVE-2022-40897

It's been in FreeBSD ports for some weeks now. It doesn't look very relevant to normal operation.

> Is there any concern?

Depends on the question

Is there any concern to make known vulnerabilities public? No.
Is there any concern to know vulnerabilities exist? No.
Is there any concern to the security of your installation? I don't know.


Cheers,
Franco

[z0rk]

Thanks for clarifying, Franco. 👍