OPNsense : openssl-3.0.12_2,1 is vulnerable- AGAIN?!?!?!

Started by skynetsense, February 01, 2024, 12:56:18 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 01, 2024, 12:56:18 PM
***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 24.1_1 at Thu Feb  1 03:40:34 PST 2024
Fetching vuln.xml.xz: .......... done
openssl-3.0.12_2,1 is vulnerable:
  OpenSSL -- Multiple vulnerabilities
  CVE: CVE-2023-6237
  CVE: CVE-2024-0727
  WWW: https://vuxml.freebsd.org/freebsd/10dee731-c069-11ee-9190-84a93843eb75.html

1 problem(s) in 1 installed package(s) found.
***DONE***

I was really hoping I won't see this after the update. In fact someone was beating their chest swearing that the new upgrade will fix this?

Please spare me on the speeches about how it doesn't matter, it's minor and insignificant. The up and down swearing in the previous version about how it's gonna go away is enough.  I am paying money for this product and I don't want to see persistent errors like this. An attacker can see this too, you know?

Thank you for your time.
February 01, 2024, 01:31:56 PM #1
Outrageous mate, OPNsense 24.1 was released on January 30th and the patches landed on Freshports on the 31st ? You have every right to be spared :)

https://www.freshports.org/security/openssl/

Rest assured the fix is coming.
February 01, 2024, 01:52:51 PM #2
Quote from: newsense on February 01, 2024, 01:31:56 PM
Outrageous mate, OPNsense 24.1 was released on January 30th and the patches landed on Freshports on the 31st ? You have every right to be spared :)

https://www.freshports.org/security/openssl/

Rest assured the fix is coming.

Thank you brother :) Looking forward to the day when the Security scan won't mention the OpenSSL :) It's very important for me :) Cheers!
February 01, 2024, 03:27:33 PM #3
QuoteI was really hoping I won't see this after the update. In fact someone was beating their chest swearing that the new upgrade will fix this?

Upon reading this, I thought 24.1 did not update OpenSSL. But the vuln.xml link in OP listed its discovery date as January 30th so these are new vulnerabilities. The ones from the original discussion was addressed by the update since they are no longer listed.
February 01, 2024, 03:31:02 PM #4
Software that is maintained has security issues. I don't see the problem. We went for a day without an issue on 24.1 at least. And 24.1.1 was planned for next week anyway.  ;)


Cheers,
Franco
February 01, 2024, 03:32:42 PM #5
Arch and EndeavourOS are the first to have landed the fixes, bur I'm not seeing it anywhere else yet, FreeBSD or Linux so after rebuilds and validation I'm expecting to see it coming next week most everywhere
Print
Go Up Pages1
User actions