Question about 2 vulnerabilities in 25.1.10

Started by holunde, July 04, 2025, 12:18:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 04, 2025, 12:18:17 PM
I'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul  4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2025-1220
  CVE: CVE-2025-6491
  CVE: CVE-2025-1735
  WWW: https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html

sudo-1.9.17 is vulnerable:
  sudo -- privilege escalation vulnerability through host and chroot options
  CVE: CVE-2025-32463
  CVE: CVE-2025-32462
  WWW: https://vuxml.freebsd.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***
July 04, 2025, 01:26:14 PM #1
The PHP vulnerabilities came out after 25.1.10 was released. I did the check just after installation and they were not listed.

The sudo vulnerabilities are not applicable to OpnSense, because you do not have SSH users that do not also have root privileges - or at least, you should not have them.

25.7 is due to release on 2025-07-23 and I guess this will be fixed then.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 04, 2025, 09:39:34 PM #2
Hi

Ok, that makes sense. Thanks for your reply!
September 11, 2025, 03:38:40 AM #3
Quote from: holunde on July 04, 2025, 12:18:17 PMI'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul  4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2025-1220
  CVE: CVE-2025-6491
  CVE: CVE-2025-1735
  WWW: https://vuxml.FreeBSD.org/geometry dash lite/d607b12c-5821-11f0-ab92-f02f7497ecda.html
sudo-1.9.17 is vulnerable:
  sudo -- privilege escalation vulnerability through host and chroot options
  CVE: CVE-2025-32463
  CVE: CVE-2025-32462
  WWW: https://vuxml.freebsd.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***
The PHP 8.3 vulnerabilities identified (CVE‑2025‑1220, CVE‑2025‑6491, CVE‑2025‑1735) were discovered and published after the release of 25.1.10. That means when the release was packaged, those PHP issues were still unknown and could not have been addressed in that version.
The sudo issues (CVE‑2025‑32462 and CVE‑2025‑32463) are flagged by the vulnerability scanner, but as the forum explains, these are not applicable in typical OPNsense configurations. OPNsense doesn't usually permit SSH users with sudo rights who aren't already root or privileged. Therefore, in most setups, the risk is negligible.
Print
Go Up Pages1
User actions