Open CVEs right after update

mooh · Open CVEs right after update

Just after updating to 26.4_6 the security audit produces a list of 7 vulnerabilities with CVE. Is this the new normal now that AI is searching for them?

This is not meant to discredit the OPNsense maintainers, just a general question. I just want to be prepared for a time when running a firewall with known vulnerabilities is the new normal.

Nullman · Reply #1 - Re: Open CVEs right after update

Welcome to 2026.

franco · Reply #2 - Re: Open CVEs right after update

Most of it is Python. According to https://peps.python.org/pep-0719/ 3.13.14 will be out by Tuesday, 2026-06-09.

In the meantime we'd have to put in a lot of effort to micro manage Python fixes and potentially clashing with similar efforts in FreeBSD ports. It's not a good option for us at the moment with the priorities we have.

So, yes, 2026. Welcome to the future.

Cheers,
Franco

franco · Reply #3 - Re: Open CVEs right after update

PS: OpenVPN 2.6.20 is not vulnerable. The FreeBSD ports database is wrong but since they skipped the version there's no effort there to be more diligent.

Open CVEs right after update

mooh

Today at 04:53:25 PM

Nullman

Today at 04:55:29 PM #1

franco

Today at 05:26:48 PM #2

franco

Today at 05:28:59 PM #3