Open CVEs right after update

Started by mooh, May 06, 2026, 04:53:25 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 06, 2026, 04:53:25 PM
Just after updating to 26.4_6 the security audit produces a list of 7 vulnerabilities with CVE. Is this the new normal now that AI is searching for them?

This is not meant to discredit the OPNsense maintainers, just a general question. I just want to be prepared for a time when running a firewall with known vulnerabilities is the new normal.
May 06, 2026, 04:55:29 PM #1
Welcome to 2026.
May 06, 2026, 05:26:48 PM #2
Most of it is Python. According to https://peps.python.org/pep-0719/ 3.13.14 will be out by Tuesday, 2026-06-09.

In the meantime we'd have to put in a lot of effort to micro manage Python fixes and potentially clashing with similar efforts in FreeBSD ports. It's not a good option for us at the moment with the priorities we have.

So, yes, 2026. Welcome to the future.


Cheers,
Franco
May 06, 2026, 05:28:59 PM #3
PS: OpenVPN 2.6.20 is not vulnerable. The FreeBSD ports database is wrong but since they skipped the version there's no effort there to be more diligent.
Today at 12:00:47 AM #4
Quote from: franco on May 06, 2026, 05:26:48 PMMost of it is Python. According to https://peps.python.org/pep-0719/ 3.13.14 will be out by Tuesday, 2026-06-09.

In the meantime we'd have to put in a lot of effort to micro manage Python fixes and potentially clashing with similar efforts in FreeBSD ports. It's not a good option for us at the moment with the priorities we have.

So, yes, 2026. Welcome to the future.
Does that future include kicking out that weird snake at some point ?? :P
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Today at 05:36:57 AM #5
Quote from: nero355 on Today at 12:00:47 AMDoes that future include kicking out that weird snake at some point ?? :P

There's nothing to kick.

So many things depend on python is not even funny. And the goal is to be on a supported version that can be used with everything that depends on it.

FWIW, FreeBSD 14.x branch is still lagging on python311 while OPNsense was able to jump on the python313 train shortly after 26.1 —- which in turn caused issues on the mimugmail repo with things not building properly.

Thankfully it would appear some if not all of the mimugmail issues have been ironed out as I just found today a new Unifi update along with the associated dependencies.
Today at 10:10:06 AM #6
Yep, looking at the current open source ecosystem Python isn't going anywhere in many projects. We're also using it in backend scripting.


Cheers,
Franco
Print
Go Up Pages1
User actions