Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Security Issues
« previous
next »
Print
Pages: [
1
]
Author
Topic: Security Issues (Read 2781 times)
Brother4Life760
Newbie
Posts: 3
Karma: 0
Security Issues
«
on:
December 10, 2021, 07:48:18 pm »
Is the team aware of the 4 security bugs
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Fri Dec 10 10:47:31 PST 2021
vulnxml file up-to-date
nss-3.72 is vulnerable:
NSS -- Memory corruption
CVE: CVE-2021-43527
WWW:
https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html
ruby-2.7.4,1 is vulnerable:
rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
CVE: CVE-2021-41817
WWW:
https://vuxml.FreeBSD.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html
rubygem-cgi -- buffer overrun in CGI.escape_html
CVE: CVE-2021-41816
WWW:
https://vuxml.FreeBSD.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html
rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
CVE: CVE-2021-41819
WWW:
https://vuxml.FreeBSD.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html
4 problem(s) in 2 installed package(s) found.
***DONE***
Logged
chemlud
Hero Member
Posts: 2486
Karma: 112
Re: Security Issues
«
Reply #1 on:
December 10, 2021, 08:04:59 pm »
https://forum.opnsense.org/index.php?topic=13572.msg62511#msg62511
https://forum.opnsense.org/index.php?topic=13571.msg62475#msg62475
Logged
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare
felix eichhorns premium katzenfutter mit der extraportion energie
A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Brother4Life760
Newbie
Posts: 3
Karma: 0
Re: Security Issues
«
Reply #2 on:
December 10, 2021, 08:39:58 pm »
Doesn't answer my question in full tho these bugs have been there for two releases now
Logged
Greelan
Hero Member
Posts: 1028
Karma: 72
Security Issues
«
Reply #3 on:
December 11, 2021, 11:18:34 pm »
You need to relax a little
The latest OPNsense version was released on 25 November
The NSS issue was reported on 1 December - after the latest OPNsense version
The ruby issues were patched in FreeBSD on 24 November - likely too late in the build process for the latest OPNsense version to be included
It is probable they will be addressed in 21.7.7
As the links given by chemlud indicate, the security audit in OPNsense is just a service given to the user. Do you check and follow CVEs on all the operating systems you use and hassle developers about fixing them? Unlikely. At least OPNsense gives more visibility on stuff like this than probably every other system you use
«
Last Edit: December 14, 2021, 09:50:24 pm by Greelan
»
Logged
franco
Administrator
Hero Member
Posts: 17665
Karma: 1611
Re: Security Issues
«
Reply #4 on:
December 12, 2021, 02:11:21 pm »
Yes, both ruby and nss will be updated with 21.7.7 next week. The relevant updates are already in the ports tree and can be rebuilt manually if necessary.
Cheers,
Franco
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Security Issues
«
Reply #5 on:
December 12, 2021, 08:15:25 pm »
Also, the affected Ruby code is not used or not in a way it would be exploitable.
Ruby is only used as glue code between the OPNsense GUI or API and some backend processes running on OPNsense. For example as a client for the TOR management protocol.
Logged
Brother4Life760
Newbie
Posts: 3
Karma: 0
Re: Security Issues
«
Reply #6 on:
December 13, 2021, 06:44:38 pm »
okay thanks dev. I use ruby so was just curious thanks for a update. Great to see the devs are active with there members.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
21.7 Legacy Series
»
Security Issues