Security Issues

Started by Brother4Life760, December 10, 2021, 07:48:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 10, 2021, 07:48:18 PM
Is the team aware of the 4 security bugs

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 21.7.6 (amd64/OpenSSL) at Fri Dec 10 10:47:31 PST 2021
vulnxml file up-to-date
nss-3.72 is vulnerable:
  NSS -- Memory corruption
  CVE: CVE-2021-43527
  WWW: https://vuxml.freebsd.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html

ruby-2.7.4,1 is vulnerable:
  rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
  CVE: CVE-2021-41817
  WWW: https://vuxml.freebsd.org/freebsd/6916ea94-4628-11ec-bbe2-0800270512f4.html

  rubygem-cgi -- buffer overrun in CGI.escape_html
  CVE: CVE-2021-41816
  WWW: https://vuxml.freebsd.org/freebsd/2c6af5c3-4d36-11ec-a539-0800270512f4.html

  rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
  CVE: CVE-2021-41819
  WWW: https://vuxml.freebsd.org/freebsd/4548ec97-4d38-11ec-a539-0800270512f4.html

4 problem(s) in 2 installed package(s) found.
***DONE***
December 10, 2021, 08:04:59 PM #1
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
December 10, 2021, 08:39:58 PM #2
Doesn't answer my question in full tho these bugs have been there for two releases now
December 11, 2021, 11:18:34 PM #3 Last Edit: December 14, 2021, 09:50:24 PM by Greelan
You need to relax a little

The latest OPNsense version was released on 25 November

The NSS issue was reported on 1 December - after the latest OPNsense version

The ruby issues were patched in FreeBSD on 24 November - likely too late in the build process for the latest OPNsense version to be included

It is probable they will be addressed in 21.7.7

As the links given by chemlud indicate, the security audit in OPNsense is just a service given to the user. Do you check and follow CVEs on all the operating systems you use and hassle developers about fixing them? Unlikely. At least OPNsense gives more visibility on stuff like this than probably every other system you use
December 12, 2021, 02:11:21 PM #4
Yes, both ruby and nss will be updated with 21.7.7 next week. The relevant updates are already in the ports tree and can be rebuilt manually if necessary.


Cheers,
Franco
December 12, 2021, 08:15:25 PM #5
Also, the affected Ruby code is not used or not in a way it would be exploitable.

Ruby is only used as glue code between the OPNsense GUI or API and some backend processes running on OPNsense. For example as a client for the TOR management protocol.
December 13, 2021, 06:44:38 PM #6
okay thanks dev. I use ruby so was just curious thanks for a update. Great to see the devs are active with there members.
Print
Go Up Pages1
User actions