Suggestion: Include Business Edition version numbers in Security Advisories

Started by pk2k, May 06, 2026, 04:21:16 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 06, 2026, 04:21:16 PM
Hi everyone,

first of all, thank you to the OPNsense team and all contributors for the amazing work you're doing. We've been using OPNsense Business Edition for quite some time now, and we really appreciate the stability, the feature set, and the pace at which improvements and fixes are delivered. It's clear how much dedication goes into this project.

I have a small suggestion regarding the Security Advisories published on GitHub (for example: GHSA-h3vx-4q27-rc42). Currently, the advisories list only the fixed versions for the Community Edition. For users of the Business Edition, this can make it a bit difficult to determine whether a specific BE release is already patched.

To illustrate the issue:
The advisory above states that the vulnerability is fixed starting with CE version 26.1.7. At the time the advisory was published, Business Edition 26.4 was already available. Based on the version numbers alone, one might assume that 26.4 includes the fix — but in reality, the patch was only included in 26.4_6. This information can be pieced together from forum posts and release notes, but it's not immediately visible from the advisory itself.

It would be extremely helpful if the Security Advisories could also include the corresponding fixed versions for the Business Edition. This would avoid confusion and save users from having to search through release notes or forum threads to confirm whether their systems are protected.

I hope this suggestion is helpful. Thanks again for all your hard work — it's very much appreciated.
May 18, 2026, 08:07:18 PM #1
Fair point. Already noticed this for the last few things via GHSA where we can edit the information prior to publication.

There is, however, an issue with hotfix version going down a rabbit hole since it counts commits off the last tag.  Typically security issues are not fixed in hotfixes, but now that's only true for community and business differs for the obvious reasons of timely shipping.  Intermediate numbers for business editions may be somewhat useful here, but also bloat the slimmed down versioning approach.

Long story short we're not sure how to deal with this in practice just yet.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Print
Go Up Pages1
User actions