Open CVEs right after update

mooh · May 06, 2026, 04:53:25 PM

Just after updating to 26.4_6 the security audit produces a list of 7 vulnerabilities with CVE. Is this the new normal now that AI is searching for them?

This is not meant to discredit the OPNsense maintainers, just a general question. I just want to be prepared for a time when running a firewall with known vulnerabilities is the new normal.

Nullman · May 06, 2026, 04:55:29 PM

Welcome to 2026.

franco · May 06, 2026, 05:26:48 PM

Most of it is Python. According to https://peps.python.org/pep-0719/ 3.13.14 will be out by Tuesday, 2026-06-09.

In the meantime we'd have to put in a lot of effort to micro manage Python fixes and potentially clashing with similar efforts in FreeBSD ports. It's not a good option for us at the moment with the priorities we have.

So, yes, 2026. Welcome to the future.

Cheers,
Franco

franco · May 06, 2026, 05:28:59 PM

PS: OpenVPN 2.6.20 is not vulnerable. The FreeBSD ports database is wrong but since they skipped the version there's no effort there to be more diligent.

nero355 · Reply #4 - Re: Open CVEs right after update

Quote from: franco on May 06, 2026, 05:26:48 PMMost of it is Python. According to https://peps.python.org/pep-0719/ 3.13.14 will be out by Tuesday, 2026-06-09.

In the meantime we'd have to put in a lot of effort to micro manage Python fixes and potentially clashing with similar efforts in FreeBSD ports. It's not a good option for us at the moment with the priorities we have.

So, yes, 2026. Welcome to the future.

Does that future include kicking out that weird snake at some point ?? :P

Open CVEs right after update

mooh

May 06, 2026, 04:53:25 PM

Nullman

May 06, 2026, 04:55:29 PM #1

franco

May 06, 2026, 05:26:48 PM #2

franco

May 06, 2026, 05:28:59 PM #3

nero355

Today at 12:00:47 AM #4