Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
CVE-2018-25032 , zlib,
« previous
next »
Print
Pages: [
1
]
Author
Topic: CVE-2018-25032 , zlib, (Read 1354 times)
PerpetualNewbie
Newbie
Posts: 30
Karma: 8
CVE-2018-25032 , zlib,
«
on:
March 29, 2022, 03:54:38 am »
Is there a plan to address CVE-2018-25032 / zlib for OS with OPNSense?
(
https://nvd.nist.gov/vuln/detail/CVE-2018-25032
)
If so, any date for planned upgrade?
Thanks!
/var/etc/lighty-webConfigurator.conf:
...
## modules to load
server.modules = (
"mod_access", "mod_expire", "mod_deflate", "mod_redirect", "mod_setenv",
"mod_cgi", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_openssl"
)
...
# ldd /usr/local/lib/lighttpd/mod_deflate.so
/usr/local/lib/lighttpd/mod_deflate.so:
libz.so.6 => /lib/libz.so.6 (0x80065a000)
libc.so.7 => /lib/libc.so.7 (0x800260000)
(This appears to be a part of the core OS (buildworld) not from a pkg.)
Is the suggested path until there is a fix to disable mod_deflate from being loaded?
Thanks!
(I don't use OPNSense IPSEC/Strongswan, or OpenVPN so these were not included in my review.)
(I tried searching for this CVE in forums, but found no hits, so I created this post/thread/question.)
«
Last Edit: March 29, 2022, 10:20:23 am by PerpetualNewbie
»
Logged
franco
Administrator
Hero Member
Posts: 17660
Karma: 1611
Re: CVE-2018-25032 , zlib,
«
Reply #1 on:
March 29, 2022, 02:31:37 pm »
Looks like this is still developing since March 25 where it was publicly raised. I have no more info on this at the moment as FreeBSD src would have to release a security advisory for the base library and FreeBSD ports needs to update the zlib version or add the patch manually.
Cheers,
Franco
Logged
PerpetualNewbie
Newbie
Posts: 30
Karma: 8
Re: CVE-2018-25032 , zlib,
«
Reply #2 on:
March 29, 2022, 03:04:03 pm »
Thanks!
Logged
PerpetualNewbie
Newbie
Posts: 30
Karma: 8
Re: CVE-2018-25032 , zlib,
«
Reply #3 on:
April 13, 2022, 09:57:33 am »
Notes for "22.1.5" include:
"
...
Due to popular demand the user experience for the revamped VLAN handling was improved in several areas. Also incuded are a larger Unbound MVC rework and DNS system route apply changes from one single spot.
Last but not least the zlib vulnerability was fixed in FreeBSD amongst others
.
...
src: zlib compression out-of-bounds write[9]
...
"
It looks like 22.1.5 notes say this CVE was addressed. Thanks!
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
22.1 Legacy Series
»
CVE-2018-25032 , zlib,