23.7.6 update curl-8.3.0 is vulnerable

[gdur]

Just upgraded from 23.7.5 to 23.7.6 and found this after a security audit:

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.7.6 at Sat Oct 14 11:19:49 CEST 2023
vulnxml file up-to-date
curl-8.3.0 is vulnerable:
  curl -- SOCKS5 heap buffer overflow
  CVE: CVE-2023-38545
  WWW: https://vuxml.freebsd.org/freebsd/d6c19e8c-6806-11ee-9464-b42e991fc52e.html

1 problem(s) in 1 installed package(s) found.
***DONE***

In curl-8.4.0 it has been fixed...

[meyergru]

Do you use curl with a SOCKS5 proxy? No? Good.

[CJ]

The OPNSense team are good at updating things like this.  IIRC, last time there was a patch release for it.  Give it some time.

[misterjaytee]

This issue also exists in 23.7.5, it's not specific to 23.7.6. In fact, looking at the versions of curl that this affects, it would have been an issue going back at least 3 years (and not just for OPNsense, but for any device that uses curl/libcurl).

Whilst it is a high severity vulnerability, it should only be an issue if you use a socks5 proxy - there are also some recommendations at the bottom of this page:
https://curl.se/docs/CVE-2023-38545.html

[misterjaytee]

This has been fixed in 23.7.7:
ports: curl 8.4.0

[franco]

In a surprising twist the last update picked up the required security update. ;)


Cheers,
Franco

[misterjaytee]

In a surprising twist the last update picked up the required security update. ;)


Cheers,
Franco

Let's hope the next update has a surprising twist and fixes the multiple squid vulnerabilities  ;) :

squid-5.9 is vulnerable:
  squid -- Multiple vulnerabilities
  WWW: https://vuxml.freebsd.org/freebsd/a8fb8e3a-730d-11ee-ab61-b42e991fc52e.html

[franco]

Spoiler: tested squid 6.4 and it's queued up for 23.7.8.


Cheers,
Franco