CVE-2026-45257

Started by cwt, June 15, 2026, 12:03:29 PM

Previous topic - Next topic
> Maybe there is a need for better visibility

No, these are not our CVEs. Trying to keep up with downstream security issues is futile.

The changelog already points to https://www.freebsd.org/security/advisories/FreeBSD-SA-26:26.ktls.asc were you can find up-to-date information like CVEs.


Cheers,
Franco

Quote from: franco on June 16, 2026, 05:18:39 PMNo, these are not our CVEs.

I meant something along the lines of
"This business release is based on the OPNsense 26.1.9 community version with additional security and reliability improvements." because this person probably got a bit overwhelmed with all the improvements on the new version.

We are in a CVE apocalypse ofcourse no need to micromanage each security fix :)

Ahh. Thank you!

I searched the release notes for "kernel", but didn't find anything regarding this.

Quote from: sopex on June 15, 2026, 03:07:24 PMI also install nano, much better experience :) Editor wars 2.0
:-)

I first used Unix in the 1980s and only occasionally since then, enough to be familiar but never regular. At that time vi was clearly better to use than ed so I did, and have ever since. Also, ZZ is quicker than :wq
Deciso DEC697

June 18, 2026, 09:41:49 AM #19 Last Edit: June 18, 2026, 09:44:35 AM by some-random-user
Quote from: franco on June 15, 2026, 12:31:35 PM26.1.10 is being released later this afternoon.

Hi Franco,

CVE-2026-45257 is not mentioned anywhere in the release notes for 26.1.10, nor in the numbered footnotes 1 through 24 inclusive.

Can you please confirm that the patch made it into 26.1.10? If so, why is it not mentioned?

Thanks in advance!

----

EDIT to add: It seems to be referred to using its FreeBSD advisory in footnote 8, but not the CVE. IMHO the CVE should ALWAYS be included in the patch notes in addition to vendor-specific references!

We may list CVEs for other vendors, but only if no better reference exists. The FreeBSD advisory is clearly better than the CVE information. It's not even public yet:

https://www.cve.org/cverecord?id=CVE-2026-45257


Cheers,
Franco

Quote from: franco on June 18, 2026, 09:46:28 AMWe may list CVEs for other vendors, but only if no better reference exists. The FreeBSD advisory is clearly better than the CVE information. It's not even public yet:

All I'm asking is for you to even just mention the CVE number in the release notes; it makes it much easier to verify with certainty that a specific issue is patched in a release. Like so:

Quotesrc: arbitrary file overwrite via the KTLS receive path (CVE-2026-45257, FreeBSD-SA-26:26.ktls)[8]

June 18, 2026, 10:03:40 AM #22 Last Edit: June 18, 2026, 10:05:13 AM by franco
I know what you're asking, but I already explained why I said "no", too.

Everyone can ask here or elsewhere; click and read the changelog references provided or gather more information on system impact if it's necessary for your local installation.


Cheers,
Franco