Openssl-3.0.17,1 is vulnerable: OpenSSL -- multiple vulnerabilities

Started by n725, October 07, 2025, 02:20:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 07, 2025, 02:20:40 PM
Hi, i'm a newbie in opnsense. I had a security audit on the latest stable release  from
http://opnsense.local/ui/core/firmware#status.
Opnsense report:

***GOT REQUEST TO AUDIT SECURITY***
Currently running OPNsense 25.7.4 (amd64) at Tue Oct  7 12:43:46 CEST 2025
vulnxml file up-to-date
openssl-3.0.17,1 is vulnerable:
  OpenSSL -- multiple vulnerabilities
  CVE: CVE-2025-9232
  CVE: CVE-2025-9231
  CVE: CVE-2025-9230
  WWW: https://vuxml.freebsd.org/freebsd/00e912c5-9e92-11f0-bc5f-8447094a420f.html

1 problem(s) in 1 installed package(s) found.
***DONE***

Is there a way to fix this bug?
October 07, 2025, 02:27:56 PM #1
Wait for the next update and install it when it is published?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
October 07, 2025, 02:36:55 PM #2
One is for S/MIME and we don't do emails.

One is for "no_proxy" env var use which is nowhere found in core. The docs suggest using it, but it still would need to be compromised by an  attacker with root access in that case. Chances are practically zero that they would go for this particular problem?

One is for 64-bit ARM architectures. We only offer AMD64.

This is commercial grade support BTW.



Cheers,
Franco
October 07, 2025, 04:30:36 PM #3
Ok thanks. By the way, I told you I'm a complete OPNSense newbie, right?
October 07, 2025, 05:06:36 PM #4
That's ok, because we're here to help :)

Note that the scanner is for everyone so we are all aware and working towards shipping the fixes as soon as possible, which sometimes takes a bit longer for the strangest reasons.

In this case 25.7.5 is due tomorrow and fixes this.


Cheers,
Franco
Print
Go Up Pages1
User actions