Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
curl 7.64.0
« previous
next »
Print
Pages: [
1
]
Author
Topic: curl 7.64.0 (Read 2512 times)
sigrme2449
Newbie
Posts: 10
Karma: 0
curl 7.64.0
«
on:
February 22, 2019, 07:42:03 pm »
I noticed OPNsense 19.1.1 (on lastest version) is still running 7.63.0_1 (from the package viewer)
I was wondering if OPNsense isn't vulnerable to the latest exploits via
https://nvd.nist.gov/vuln/detail/CVE-2018-16890
https://nvd.nist.gov/vuln/detail/CVE-2019-3822
https://nvd.nist.gov/vuln/detail/CVE-2019-3823
I really like OPNsense ALOT more than pfsense, (and i hate to point this out) but i noticed PFSENSE fixed this or released instructions on manually updating packages on Feb 15th, I haven't done an audit to confirm OPNsense is vulnerable, but I would assume so because of the versioning number. Could we have a small update to update this package to the latest or instructions on how-to? Or has the attack surface changed where this is a non issue?
Logged
sigrme2449
Newbie
Posts: 10
Karma: 0
Re: curl 7.64.0
«
Reply #1 on:
February 22, 2019, 08:21:40 pm »
Looking more into this, just as an update
I think Curl is mostly used on lighthttp (http server opnsense uses by default) on most installs
So unless you really have remote web management turned on this is a non issue on the wan side
However on the LAN side, this is a issue if you still have a lan/vlan that can access the http management
Logged
franco
Administrator
Hero Member
Posts: 17657
Karma: 1611
Re: curl 7.64.0
«
Reply #2 on:
February 27, 2019, 08:56:54 am »
19.1.1 was released on February 5:
https://github.com/opnsense/changelog/blob/master/doc/19.1/19.1.1#L1
Curl 7.54.0 was released on February 6:
https://curl.haxx.se/changes.html
19.1.2 will be released this week.
I agree that between .1 and .2 there is a larger gap and now we can debate why that is and why it may be bad.
Or we could agree that we ship a release every two weeks since a long time on average and .2 is the logical place to fix it despite its displacement (statistics aside, which would make this ok in the end).
Other projects don't do this and it is often voiced as a key concern and why OPNsense matters in this regard.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.1 Legacy Series
»
curl 7.64.0