Question about 2 vulnerabilities in 25.1.10

Started by holunde, July 04, 2025, 12:18:17 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 04, 2025, 12:18:17 PM
I'm just wondering, why a release is coming out with these 2 new vulnerabilities?

Currently running OPNsense 25.1.10 (amd64) at Fri Jul  4 11:50:37 CEST 2025
Fetching vuln.xml.xz: .......... done
php83-8.3.22 is vulnerable:
  php -- Multiple vulnerabilities
  CVE: CVE-2025-1220
  CVE: CVE-2025-6491
  CVE: CVE-2025-1735
  WWW: https://vuxml.freebsd.org/freebsd/d607b12c-5821-11f0-ab92-f02f7497ecda.html

sudo-1.9.17 is vulnerable:
  sudo -- privilege escalation vulnerability through host and chroot options
  CVE: CVE-2025-32463
  CVE: CVE-2025-32462
  WWW: https://vuxml.freebsd.org/freebsd/24f4b495-56a1-11f0-9621-93abbef07693.html

2 problem(s) in 2 installed package(s) found.
***DONE***
July 04, 2025, 01:26:14 PM #1
The PHP vulnerabilities came out after 25.1.10 was released. I did the check just after installation and they were not listed.

The sudo vulnerabilities are not applicable to OpnSense, because you do not have SSH users that do not also have root privileges - or at least, you should not have them.

25.7 is due to release on 2025-07-23 and I guess this will be fixed then.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
July 04, 2025, 09:39:34 PM #2
Hi

Ok, that makes sense. Thanks for your reply!
November 10, 2025, 12:04:44 PM #3 Last Edit: November 10, 2025, 02:45:17 PM by meyergru
1. The current CE version is 25.7.7_4, where this has long been patched.
2. As I wrote, the vulnerability never applied to OpnSense anyway - and I also explained why.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 23, 2025, 07:47:41 PM #4
It does not become any more true by repeating this. As pointed out, the PHP vulnerabilities were detected after the 25.1.10 release, so there never was "a release ship with fresh vulnerabilities still present" like you say.

The sudo vulnerabilities are not applicable to OpnSense, so they were a false alarm.

Anyway, 25.1.10 was long ago succeeded by 25.7.x, were the referenced vulnerabilities have been fixed.

So, what is your actual complaint? Not having updating to 25.7.7_4? That would be on you, I guess.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
November 23, 2025, 07:54:19 PM #5
Quote from: emeliaerick on November 23, 2025, 07:29:02 PMHopefully a follow-up patch drops soon, because seeing those CVEs right after updating doesn't inspire much confidence.

The followup patch is 25.7. 25.1 is long EOL. Complaining about vulnerabilities in EOL software is a bit strange, don't you think. But you do you.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Today at 01:32:43 PM #6
You both have been arguing with a bot :)
Today at 01:51:55 PM #7
Saw that only after it started advertising... damn AI slop.
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
Today at 03:52:28 PM #8
It's pretty interesting. I'll try to delete it when I see embedded links, but they mostly stick random stuff on here or repost old forum messages and only go back later and add links everywhere they already posted.


Cheers,
Franco
Print
Go Up Pages1
User actions