5 plugin vulnerabilities in 20.1.7

[cmdr.adama]

Hey guys,

Not sure if you are aware or not, there are 5 packages in 20.1.7 with current vulnerabilities.

How far away are we looking for 20.1.8?

Code: [Select]

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
clamav-0.102.2,1 is vulnerable:
clamav -- multiple vulnerabilities
CVE: CVE-2020-3341
CVE: CVE-2020-3327
WWW: https://vuxml.FreeBSD.org/freebsd/91ce95d5-cd15-4105-b942-af5ccc7144c1.html

libnghttp2-1.40.0 is vulnerable:
nghttp2 -- DoS vulnerability
CVE: CVE-2020-11080
WWW: https://vuxml.FreeBSD.org/freebsd/4bb56d2f-a5b0-11ea-a860-08002728f74c.html

unbound-1.10.0 is vulnerable:
unbound -- mutliple vulnerabilities
CVE: CVE-2020-12663
CVE: CVE-2020-12662
WWW: https://vuxml.FreeBSD.org/freebsd/a2cb7c31-9c79-11ea-a9c2-d05099c0ae8c.html

json-c-0.13.1_1 is vulnerable:
json-c -- integer overflow and out-of-bounds write via a large JSON file
CVE: CVE-2020-12762
WWW: https://vuxml.FreeBSD.org/freebsd/abc3ef37-95d4-11ea-9004-25fadb81abf4.html

gnutls-3.6.13_1 is vulnerable:
GnuTLS -- flaw in TLS session ticket key construction
CVE: CVE-2020-13777
WWW: https://vuxml.FreeBSD.org/freebsd/ef5b4f5f-a658-11ea-80d7-001cc0382b2f.html

[hbc]

Nothing to be worried about. Everybody has this button for security audit - even developers. The know about it.

@franco: feature request: add hint not to post security audits to forum and explain its use case

[b3k]

Any update?

[mimugmail]

Will be in 20.1.8 .. no worries.

[b3k]

Where is the dev branch for 20.1.8 ?

https://github.com/opnsense/core/tree/20.1.8

[mimugmail]

It will picked from master, why are you asking?

[franco]

> Where is the dev branch for 20.1.8 ?

Let's bring some quick facts to that...

There is no dev branch for 20.1.8 in particular. All major release stable changes go to... drum roll... stable/20.1

https://github.com/opnsense/core/commits/stable/20.1

From there you can see that we have tags and that 20.1.7 is already 27 commits behind that branch following our efforts this week to release 20.1.8.

Due to an upgrade issue we haven't been able to narrow down we will not release 20.1.8, so there will be no tag for it.

https://twitter.com/opnsense/status/1276124128509153287

We appreciate the concern and nudging, but asking for something that isn't ready will not help. What helps is inspecting process that the project has established many years ago and going from there.

2020 is an interesting year for all of us and I am personally sorry for any inconvenience caused.


Cheers,
Franco

[b3k]

Thanks. 

[cmdr.adama]

Due to an upgrade issue we haven't been able to narrow down we will not release 20.1.8, so there will be no tag for it.

https://twitter.com/opnsense/status/1276124128509153287

We appreciate the concern and nudging, but asking for something that isn't ready will not help. What helps is inspecting process that the project has established many years ago and going from there.

2020 is an interesting year for all of us and I am personally sorry for any inconvenience caused.

Well.. Better off holding off the release until it's fixed

Thanks for keeping us up to date with what's going on... Thankfully I haven't found any real issues with 20.1.7 so it's not that critical waiting for the 20.1.8 update but I'm a tad crazy in the sense that I really like keeping things up to date.

2020 has indeed been crazy and we're only half way through.

[b3k]

It appears that 20.1.8 has been released.  Thx