curl 7.64.0

Started by sigrme2449, February 22, 2019, 07:42:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 22, 2019, 07:42:03 PM
I noticed OPNsense 19.1.1 (on lastest version) is still running 7.63.0_1 (from the package viewer)

I was wondering if OPNsense isn't vulnerable to the latest exploits via

https://nvd.nist.gov/vuln/detail/CVE-2018-16890
https://nvd.nist.gov/vuln/detail/CVE-2019-3822
https://nvd.nist.gov/vuln/detail/CVE-2019-3823

I really like OPNsense ALOT more than pfsense, (and i hate to point this out) but i noticed PFSENSE fixed this or released instructions on manually updating packages on Feb 15th, I haven't done an audit to confirm OPNsense is vulnerable, but I would assume so because of the versioning number. Could we have a small update to update this package to the latest or instructions on how-to? Or has the attack surface changed where this is a non issue?
February 22, 2019, 08:21:40 PM #1
Looking more into this, just as an update

I think Curl is mostly used on lighthttp (http server opnsense uses by default) on most installs

So unless you really have remote web management turned on this is a non issue on the wan side
However on the LAN side, this is a issue if you still have a lan/vlan that can access the http management
February 27, 2019, 08:56:54 AM #2
19.1.1 was released on February 5:

https://github.com/opnsense/changelog/blob/master/doc/19.1/19.1.1#L1

Curl 7.54.0 was released on February 6:

https://curl.haxx.se/changes.html

19.1.2 will be released this week.

I agree that between .1 and .2 there is a larger gap and now we can debate why that is and why it may be bad.

Or we could agree that we ship a release every two weeks since a long time on average and .2 is the logical place to fix it despite its displacement (statistics aside, which would make this ok in the end).

Other projects don't do this and it is often voiced as a key concern and why OPNsense matters in this regard.


Cheers,
Franco
Print
Go Up Pages1
User actions