Question about 2 vulnerabilities in 25.1.10

Started by holunde, July 04, 2025, 12:18:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 04, 2025, 12:18:17 PM
I'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul  4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2025-1220
  CVE: CVE-2025-6491
  CVE: CVE-2025-1735
  WWW: https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html

sudo-1.9.17 is vulnerable:
  sudo -- privilege escalation vulnerability through host and chroot options
  CVE: CVE-2025-32463
  CVE: CVE-2025-32462
  WWW: https://vuxml.freebsd.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***
July 04, 2025, 01:26:14 PM #1
The PHP vulnerabilities came out after 25.1.10 was released. I did the check just after installation and they were not listed.

The sudo vulnerabilities are not applicable to OpnSense, because you do not have SSH users that do not also have root privileges - or at least, you should not have them.

25.7 is due to release on 2025-07-23 and I guess this will be fixed then.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 04, 2025, 09:39:34 PM #2
Hi

Ok, that makes sense. Thanks for your reply!
Print
Go Up Pages1
User actions