CVE-2020-7450

Started by mcc85s, January 30, 2020, 08:58:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 30, 2020, 08:58:33 PM
Reporting a CVE surfacing after yestedays' update:

-----
***GOT REQUEST TO AUDIT SECURITY***
Fetching vuln.xml.bz2: .......... done
pkg-1.12.0 is vulnerable:
pkg -- vulnerability in libfetch
CVE: CVE-2020-7450
WWW: https://vuxml.freebsd.org/freebsd/2af10639-4299-11ea-aab1-98fa9bfec35a.html

1 problem(s) in 1 installed package(s) found.
***DONE***
-----
January 30, 2020, 09:16:55 PM #1
As said a number of times: posting vulnerability reports does not help because we all see the same thing. ;)
January 31, 2020, 01:07:10 AM #2
It helps us, so we know this vulnerability affects this specific software and it's components. 
January 31, 2020, 07:50:41 AM #3
That's what the audit function is for.
It reports to you that a known problem affects a package or software component on your system.

Since the developers are following the FreeBSD and HBSD projects very closely we can be sure that with the next tested and QA singed update the fixes will be included when everything still works as expected.

We can't complain about reaction time here so give them some time for QA and I am sure it will be addressed within the next updates. This helps to keep up a positive mentality within our community.
Twitter: banym
Mastodon: banym@bsd.network
Blog: https://www.banym.de
January 31, 2020, 08:00:08 AM #4
Oh, i did not realized that's what 'Audit' function is for.
Thank you for pointing this out. This is super cool.
As far as positive mentality... could not agree with you more. This is a open source project. we get to use this software royalty free and I would not dare to be negative about any of this.

OPNsense has been a reliable software for quite some time. I trust it any time over ciso, juniper or whowawa... and I can't thank enough developers and every one who contribute to the project.

Damien
January 31, 2020, 08:13:51 AM #5
I'm not against posting this info here, but it comes with a responsibility to either explain or ask question, not copy+paste. Because doing neither will only create confusion.

The timing is unfortunate. We need 4 days for a major release from build to finish including image testing and everything around announcements so a security issue can not be picked up earlier without postponing the release to next week, where we can do a 20.1.1 to address this much easier and quicker.

The particular issue should not be of concern here because feeding pkg manipulated URLs requires access to vital systems such as GUI access to firmware pages, config import or shell access and you should really be trusting the people who have these privileges. :)


Cheers,
Franco
Print
Go Up Pages1
User actions