cve nginx

Started by wirehire, June 21, 2026, 05:19:11 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 21, 2026, 05:19:11 PM
https://nginx.org/en/security_advisories.html

the nginx comes from freebsd upstream ? because last time , its was long delayed , when it comes to the opnsense repo.

How can we update a critical ( nginx) only wait or can we force update from freebsd?

Greets
Today at 11:39:36 AM #1
When FreeBSD updates their vuxml database you can see it pop up in the audit until it's fixed.

If you don't see it there it's better to double-check yourself.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 03:16:56 PM #2
hey franco, first thanks for the answer. i see it in the vuxml and i see the new release with the fixes.

i want understood, how the updates from core come to opnsense. the core packages are always from the upstream when i hit the update button? or only when your team it allow in the opnsense repo?

greets , i hope i make my question clear for unstanding.

greets!
Today at 03:51:11 PM #3
We're staging the FreeBSD ports into our package builds. So in most cases the commit hits FreeBSD ports first. Sometimes this step is quick, sometimes not. For some services we may update earlier as upstream patches or releases are available. It depends on a lot of factors. Also note that Nginx is within optional community scope and therefore not a priority for releases.


Cheers,
Franco
"AI has absolutely reduced the cost of creating technical debt." -- ChatGPT
Today at 07:47:29 PM #4
thanks for the insights! We have 6 business firewalls, where nginx run as a  reverse proxy and automatic scanners, which note when it comes to critical cve. So when nginx are focus for community , we musst look to change the reverse proxy package or away from the opnsense as a reverse proxy to a server.

Greets!
Today at 07:49:00 PM #5
We have a tier1 reverse proxy available in the business edition:

https://docs.opnsense.org/vendor/deciso/opnwaf.html
Hardware:
DEC740
Today at 08:13:31 PM #6
based on apache right?  we have problems (speed , latency) with apache reverse, so we come to nginx. but thanks for your input. we are looking forward to evalutate this plugin as alternate to os-nginx.


greets
Today at 09:00:10 PM #7
Yeah its based on apache. I guess it depends on the configuration but with mpm-event it should be fine (which we ship as standard).

But of course I don't know what kind if traffic volume or latency you are expecting in general.

There are also other tweaks like using TCP RACK via system tunables.

But as soon as you start to heavily tune a reverse proxy to get the performance you need it might be better to separate concerns in general.
Hardware:
DEC740
Print
Go Up Pages1
User actions