Security audit (23.10.3 Business Edition) reports fixed CVEs as not fixed?

[gctwnl]

I ran a security audit and got this result:

Code: [Select]

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 23.10.3 at Sat Apr 13 11:37:48 CEST 2024
vulnxml file up-to-date
suricata-6.0.17 is vulnerable:
  suricata -- multiple vulnerabilities
  CVE: CVE-2024-23837
  CVE: CVE-2024-24568
  CVE: CVE-2024-23835
  CVE: CVE-2024-23836
  CVE: CVE-2024-23839
  WWW: https://vuxml.FreeBSD.org/freebsd/979dc373-d27d-11ee-8b84-b42e991fc52e.html

openssl111-1.1.1w is vulnerable:
  OpenSSL -- DoS in DH generation
  CVE: CVE-2023-5678
  WWW: https://vuxml.FreeBSD.org/freebsd/a5956603-7e4f-11ee-9df6-84a93843eb75.html

2 problem(s) in 2 installed package(s) found.
***DONE***But according to https://suricata.io/2024/02/08/suricata-7-0-3-and-6-0-16-released/ the CVEs were already fixed in Suricata 6.0.16. So now I'm confused.

[DEC670airp414user]

I run business as well.   well was until the openssl vulnerabilities came about.

I have moved to community version until the latest business is released.   should be this month I've read


Currently running OPNsense 24.1.5_3 at Sat Apr 13 06:19:32 EDT 2024
Fetching vuln.xml.xz: .......... done
openssl-3.0.13_2,1 is vulnerable:
  OpenSSL -- Unbounded memory growth with session handling in TLSv1.3
  CVE: CVE-2024-2511
  WWW: https://vuxml.FreeBSD.org/freebsd/7c217849-f7d7-11ee-a490-84a93843eb75.html

[franco]

The FreeBSD-bound database isn't optimal as it is "optimized" for FreeBSD ports use but people make mistakes while updating the vulnerability database is the root cause in a nut shell. It is what it is.


Cheers,
Franco