Curl and Bind vulnerable

[Jack V]

Its been a long time, thought I give OPNsense a try again. Looks very good and works great!

Did nobody else notice yet? Curl and Bind are vulnerable.

Code: [Select]

***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
curl-7.53.1 is vulnerable:
cURL -- out of buffer read
CVE: CVE-2017-7407
WWW: https://vuxml.FreeBSD.org/freebsd/04f29189-1a05-11e7-bc6e-b499baebfeaf.html

bind911-9.11.0P3 is vulnerable:
BIND -- multiple vulnerabilities
CVE: CVE-2017-3138
CVE: CVE-2017-3137
CVE: CVE-2017-3136
WWW: https://vuxml.FreeBSD.org/freebsd/c6861494-1ffb-11e7-934d-d05099c0ae8c.html

2 problem(s) in the installed packages found.
***DONE***


[franco]

This happens all the time. Of course we notice, but we don't control this database as it is fed via FreeBSD. Sometimes there is also a CVE but no fix available. Sometimes they happen right after a firmware release.

It's a way of tracking problems, giving visibility to you for vulnerability management beyond a mere update of OPNsense.

Both of these issues will be addressed with OPNsense 17.1.5 this week.

Between showing this info in advance or hiding it, we chose the former.