Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
CVE-2020-7450
« previous
next »
Print
Pages: [
1
]
Author
Topic: CVE-2020-7450 (Read 3648 times)
mcc85s
Newbie
Posts: 6
Karma: 0
CVE-2020-7450
«
on:
January 30, 2020, 08:58:33 pm »
Reporting a CVE surfacing after yestedays' update:
-----
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
pkg-1.12.0 is vulnerable:
pkg -- vulnerability in libfetch
CVE: CVE-2020-7450
WWW:
https://vuxml.FreeBSD.org/freebsd/2af10639-4299-11ea-aab1-98fa9bfec35a.html
1 problem(s) in 1 installed package(s) found.
***DONE***
-----
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: CVE-2020-7450
«
Reply #1 on:
January 30, 2020, 09:16:55 pm »
As said a number of times: posting vulnerability reports does not help because we all see the same thing.
Logged
skyroute
Newbie
Posts: 11
Karma: 2
Re: CVE-2020-7450
«
Reply #2 on:
January 31, 2020, 01:07:10 am »
It helps us, so we know this vulnerability affects this specific software and it's components.
Logged
banym
Sr. Member
Posts: 468
Karma: 31
Free Human Being, FreeBSD, Linux and Mac nerd
Re: CVE-2020-7450
«
Reply #3 on:
January 31, 2020, 07:50:41 am »
That's what the audit function is for.
It reports to you that a known problem affects a package or software component on your system.
Since the developers are following the FreeBSD and HBSD projects very closely we can be sure that with the next tested and QA singed update the fixes will be included when everything still works as expected.
We can't complain about reaction time here so give them some time for QA and I am sure it will be addressed within the next updates. This helps to keep up a positive mentality within our community.
Logged
Twitter: banym
Mastodon: banym@bsd.network
Blog:
https://www.banym.de
skyroute
Newbie
Posts: 11
Karma: 2
Re: CVE-2020-7450
«
Reply #4 on:
January 31, 2020, 08:00:08 am »
Oh, i did not realized that's what 'Audit' function is for.
Thank you for pointing this out. This is super cool.
As far as positive mentality... could not agree with you more. This is a open source project. we get to use this software royalty free and I would not dare to be negative about any of this.
OPNsense has been a reliable software for quite some time. I trust it any time over ciso, juniper or whowawa... and I can't thank enough developers and every one who contribute to the project.
Damien
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: CVE-2020-7450
«
Reply #5 on:
January 31, 2020, 08:13:51 am »
I'm not against posting this info here, but it comes with a responsibility to either explain or ask question, not copy+paste. Because doing neither will only create confusion.
The timing is unfortunate. We need 4 days for a major release from build to finish including image testing and everything around announcements so a security issue can not be picked up earlier without postponing the release to next week, where we can do a 20.1.1 to address this much easier and quicker.
The particular issue should not be of concern here because feeding pkg manipulated URLs requires access to vital systems such as GUI access to firmware pages, config import or shell access and you should really be trusting the people who have these privileges.
Cheers,
Franco
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
CVE-2020-7450