Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CVE forum discussion categories?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    vulnerability
    20 Posts 5 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rcoleman-netgate Netgate @JonathanLee
      last edited by

      @jonathanlee Likely pfBlockerNG

      Ryan
      Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
      Requesting firmware for your Netgate device? https://go.netgate.com
      Switching: Mikrotik, Netgear, Extreme
      Wireless: Aruba, Ubiquiti

      JonathanLeeJ Dobby_D 2 Replies Last reply Reply Quote 1
      • JonathanLeeJ
        JonathanLee @rcoleman-netgate
        last edited by

        @rcoleman-netgate I have Squidguard, squid, squidlite, cron, watchdog, snort, patches,

        Screenshot_20230516-214505.png

        Make sure to upvote

        R 1 Reply Last reply Reply Quote 0
        • Dobby_D
          Dobby_ @rcoleman-netgate
          last edited by

          @rcoleman-netgate
          On 23.05 RC
          pfBlockerNG_v3.2.0_5

          On 2.7 devel
          pfBlockerNG_v3.2.0_4

          @JonathanLee
          23.05 RC
          23.05 installed patches.jpg
          2.7 Devel
          2.7 installed packages.jpg

          #~. @Dobby

          Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
          PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
          PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

          JonathanLeeJ 1 Reply Last reply Reply Quote 1
          • JonathanLeeJ
            JonathanLee @Dobby_
            last edited by

            @dobby_ i noticed strongswan also shows as an issue for me. I am still running 23.01 the version before 23.05.

            Make sure to upvote

            Dobby_D 1 Reply Last reply Reply Quote 0
            • R
              rcoleman-netgate Netgate @JonathanLee
              last edited by

              @jonathanlee said in CVE forum discussion categories?:

              @rcoleman-netgate I have Squidguard, squid, squidlite, cron, watchdog, snort, patches,

              I suspect curl() is required by System Patches. You can find dependencies from the System->Packages page.

              Ryan
              Repeat, after me: MESH IS THE DEVIL! MESH IS THE DEVIL!
              Requesting firmware for your Netgate device? https://go.netgate.com
              Switching: Mikrotik, Netgear, Extreme
              Wireless: Aruba, Ubiquiti

              1 Reply Last reply Reply Quote 1
              • Dobby_D
                Dobby_ @JonathanLee
                last edited by Dobby_

                @jonathanlee said in CVE forum discussion categories?:

                @dobby_ i noticed strongswan also shows as an issue for me. I am still running 23.01 the version before 23.05.

                Many patches were finding its way into the 23.05 and
                on top I think there will be more actual packages ad/or
                other version inside that will be not anymore affected
                by the vuln`s you were presenting.

                23.05 RC Strongswan

                [23.05-RC][root@xx xx xx]/root: pkg info strongswan
                strongswan-5.9.10_2
                Name           : strongswan
                Version        : 5.9.10_2
                Installed on   : Wed May 10 22:13:58 2023 CEST
                Origin         : security/strongswan
                Architecture   : FreeBSD:14:amd64
                Prefix         : /usr/local
                Categories     : security net-vpn
                Licenses       : GPLv2
                Maintainer     : strongswan@nanoteq.com
                WWW            : https://www.strongswan.org
                Comment        : Open Source IKEv2 IPsec-based VPN solution
                Options        :
                        BUILTIN        : off
                        CTR            : off
                        CURL           : on
                        EAPAKA3GPP2    : off
                        EAPDYNAMIC     : on
                        EAPRADIUS      : on
                        EAPSIMFILE     : on
                        FARP           : off
                        GCM            : on
                        IKEV1          : on
                        IPSECKEY       : on
                        KDF            : on
                        KERNELLIBIPSEC : off
                        LDAP           : off
                        LIBC           : off
                        LOADTESTER     : off
                        MEDIATION      : off
                        MYSQL          : off
                        PKCS11         : on
                        PKI            : on
                        PYTHON         : off
                        SCEP           : off
                        SMP            : off
                        SQLITE         : off
                        SWANCTL        : on
                        TESTVECTOR     : off
                        TPM            : off
                        TSS2           : off
                        UNBOUND        : on
                        UNITY          : on
                        VICI           : on
                        VSTR           : on
                        XAUTH          : on
                Shared Libs required:
                        libvstr-1.0.so.0
                        libunbound.so.8
                        libldns.so.3
                        libcurl.so.4
                Shared Libs provided:
                        libvici.so.0
                        libtls.so.0
                        libstrongswan.so.0
                        libstrongswan-xcbc.so
                        libstrongswan-xauth-pam.so
                        libstrongswan-xauth-generic.so
                        libstrongswan-xauth-eap.so
                        libstrongswan-x509.so
                        libstrongswan-whitelist.so
                        libstrongswan-vici.so
                        libstrongswan-updown.so
                        libstrongswan-unity.so
                        libstrongswan-unbound.so
                        libstrongswan-stroke.so
                        libstrongswan-sshkey.so
                        libstrongswan-socket-default.so
                        libstrongswan-sha2.so
                        libstrongswan-sha1.so
                        libstrongswan-revocation.so
                        libstrongswan-resolve.so
                        libstrongswan-rc2.so
                        libstrongswan-random.so
                        libstrongswan-pubkey.so
                        libstrongswan-pkcs8.so
                        libstrongswan-pkcs7.so
                        libstrongswan-pkcs12.so
                        libstrongswan-pkcs11.so
                        libstrongswan-pkcs1.so
                        libstrongswan-pgp.so
                        libstrongswan-pem.so
                        libstrongswan-openssl.so
                        libstrongswan-nonce.so
                        libstrongswan-md5.so
                        libstrongswan-md4.so
                        libstrongswan-kernel-pfroute.so
                        libstrongswan-kernel-pfkey.so
                        libstrongswan-kdf.so
                        libstrongswan-ipseckey.so
                        libstrongswan-hmac.so
                        libstrongswan-gcm.so
                        libstrongswan-fips-prf.so
                        libstrongswan-eap-ttls.so
                        libstrongswan-eap-tls.so
                        libstrongswan-eap-sim.so
                        libstrongswan-eap-sim-file.so
                        libstrongswan-eap-radius.so
                        libstrongswan-eap-peap.so
                        libstrongswan-eap-mschapv2.so
                        libstrongswan-eap-md5.so
                        libstrongswan-eap-identity.so
                        libstrongswan-eap-dynamic.so
                        libstrongswan-drbg.so
                        libstrongswan-dnskey.so
                        libstrongswan-des.so
                        libstrongswan-curve25519.so
                        libstrongswan-curl.so
                        libstrongswan-counters.so
                        libstrongswan-constraints.so
                        libstrongswan-cmac.so
                        libstrongswan-blowfish.so
                        libstrongswan-attr.so
                        libstrongswan-aes.so
                        libstrongswan-addrblock.so
                        libsimaka.so.0
                        libradius.so.0
                        libcharon.so.0
                Annotations    :
                        FreeBSD_version: 1400085
                        build_timestamp: 2023-05-04T17:08:03+0000
                        built_by       : poudriere-git-3.3.99.20220831
                        cpe            : cpe:2.3:a:strongswan:strongswan:5.9.10:::::freebsd14:x64:2
                        port_checkout_unclean: no
                        port_git_hash  : 78ba9de1f8df
                        ports_top_checkout_unclean: yes
                        ports_top_git_hash: e7f28213b661
                        repo_type      : binary
                        repository     : pfSense
                Flat size      : 3.24MiB
                Description    :
                Strongswan is an open source IPsec-based VPN solution.
                Strongswan for FreeBSD implements both the IKEv1 and IKEv2 (RFC 5996) key
                exchange protocols.
                
                WWW: https://www.strongswan.org
                

                2.7 Strongswan

                [2.7.0-DEVELOPMENT][root@xx xx xx]/root: pkg info strongswan
                strongswan-5.9.10_2
                Name           : strongswan
                Version        : 5.9.10_2
                Installed on   : Mon May  8 21:38:18 2023 CEST
                Origin         : security/strongswan
                Architecture   : FreeBSD:14:amd64
                Prefix         : /usr/local
                Categories     : security net-vpn
                Licenses       : GPLv2
                Maintainer     : strongswan@nanoteq.com
                WWW            : https://www.strongswan.org
                Comment        : Open Source IKEv2 IPsec-based VPN solution
                Options        :
                        BUILTIN        : off
                        CTR            : off
                        CURL           : on
                        EAPAKA3GPP2    : off
                        EAPDYNAMIC     : on
                        EAPRADIUS      : on
                        EAPSIMFILE     : on
                        FARP           : off
                        GCM            : on
                        IKEV1          : on
                        IPSECKEY       : on
                        KDF            : on
                        KERNELLIBIPSEC : off
                        LDAP           : off
                        LIBC           : off
                        LOADTESTER     : off
                        MEDIATION      : off
                        MYSQL          : off
                        PKCS11         : on
                        PKI            : on
                        PYTHON         : off
                        SCEP           : off
                        SMP            : off
                        SQLITE         : off
                        SWANCTL        : on
                        TESTVECTOR     : off
                        TPM            : off
                        TSS2           : off
                        UNBOUND        : on
                        UNITY          : on
                        VICI           : on
                        VSTR           : on
                        XAUTH          : on
                Shared Libs required:
                        libvstr-1.0.so.0
                        libunbound.so.8
                        libldns.so.3
                        libcurl.so.4
                Shared Libs provided:
                        libvici.so.0
                        libtls.so.0
                        libstrongswan.so.0
                        libstrongswan-xcbc.so
                        libstrongswan-xauth-pam.so
                        libstrongswan-xauth-generic.so
                        libstrongswan-xauth-eap.so
                        libstrongswan-x509.so
                        libstrongswan-whitelist.so
                        libstrongswan-vici.so
                        libstrongswan-updown.so
                        libstrongswan-unity.so
                        libstrongswan-unbound.so
                        libstrongswan-stroke.so
                        libstrongswan-sshkey.so
                        libstrongswan-socket-default.so
                        libstrongswan-sha2.so
                        libstrongswan-sha1.so
                        libstrongswan-revocation.so
                        libstrongswan-resolve.so
                        libstrongswan-rc2.so
                        libstrongswan-random.so
                        libstrongswan-pubkey.so
                        libstrongswan-pkcs8.so
                        libstrongswan-pkcs7.so
                        libstrongswan-pkcs12.so
                        libstrongswan-pkcs11.so
                        libstrongswan-pkcs1.so
                        libstrongswan-pgp.so
                        libstrongswan-pem.so
                        libstrongswan-openssl.so
                        libstrongswan-nonce.so
                        libstrongswan-md5.so
                        libstrongswan-md4.so
                        libstrongswan-kernel-pfroute.so
                        libstrongswan-kernel-pfkey.so
                        libstrongswan-kdf.so
                        libstrongswan-ipseckey.so
                        libstrongswan-hmac.so
                        libstrongswan-gcm.so
                        libstrongswan-fips-prf.so
                        libstrongswan-eap-ttls.so
                        libstrongswan-eap-tls.so
                        libstrongswan-eap-sim.so
                        libstrongswan-eap-sim-file.so
                        libstrongswan-eap-radius.so
                        libstrongswan-eap-peap.so
                        libstrongswan-eap-mschapv2.so
                        libstrongswan-eap-md5.so
                        libstrongswan-eap-identity.so
                        libstrongswan-eap-dynamic.so
                        libstrongswan-drbg.so
                        libstrongswan-dnskey.so
                        libstrongswan-des.so
                        libstrongswan-curve25519.so
                        libstrongswan-curl.so
                        libstrongswan-counters.so
                        libstrongswan-constraints.so
                        libstrongswan-cmac.so
                        libstrongswan-blowfish.so
                        libstrongswan-attr.so
                        libstrongswan-aes.so
                        libstrongswan-addrblock.so
                        libsimaka.so.0
                        libradius.so.0
                        libcharon.so.0
                Annotations    :
                        FreeBSD_version: 1400085
                        build_timestamp: 2023-04-27T06:52:01+0000
                        built_by       : poudriere-git-3.3.99.20220831
                        cpe            : cpe:2.3:a:strongswan:strongswan:5.9.10:::::freebsd14:x64:2
                        port_checkout_unclean: no
                        port_git_hash  : 78ba9de1f8df
                        ports_top_checkout_unclean: yes
                        ports_top_git_hash: 78ba9de1f8df
                        repo_type      : binary
                        repository     : pfSense
                Flat size      : 3.24MiB
                Description    :
                Strongswan is an open source IPsec-based VPN solution.
                Strongswan for FreeBSD implements both the IKEv1 and IKEv2 (RFC 5996) key
                exchange protocols.
                
                WWW: https://www.strongswan.org
                

                #~. @Dobby

                Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                1 Reply Last reply Reply Quote 1
                • JonathanLeeJ
                  JonathanLee @Dobby_
                  last edited by

                  @dobby_ how did you update curl?

                  Screenshot 2023-05-17 at 12.06.20 PM.png

                  Make sure to upvote

                  Dobby_D 1 Reply Last reply Reply Quote 0
                  • Dobby_D
                    Dobby_ @JonathanLee
                    last edited by

                    @jonathanlee said in CVE forum discussion categories?:

                    @dobby_ how did you update curl?

                    I never did that! I was only installing 23.05 RC and on the
                    other hardware 2.7 Devel, both are amd64 (x86_64), so
                    I don´t know in real but I am imagine that in the newer
                    versions are also newer packets (pkg`s) installed or the
                    last available versions of some packets, modules and so
                    on and so on.

                    #~. @Dobby

                    Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                    PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                    PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                    1 Reply Last reply Reply Quote 1
                    • M
                      mer
                      last edited by

                      pkg info -r curl should tell you what packages are depending on the curl package

                      JonathanLeeJ 1 Reply Last reply Reply Quote 2
                      • JonathanLeeJ
                        JonathanLee @mer
                        last edited by

                        @mer

                        c17feb62-a998-41b6-97ed-44b079e0e731-image.png

                        After the update to 23.05

                        f6f10b6b-6135-43b3-b1bf-870677f0777e-image.png

                        It is like I have two different versions installed.

                        Make sure to upvote

                        Dobby_D 1 Reply Last reply Reply Quote 0
                        • Dobby_D
                          Dobby_ @JonathanLee
                          last edited by

                          @jonathanlee

                          This time I have one more then you!
                          Audit 23.05 Release .jpg

                          #~. @Dobby

                          Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                          PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                          PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                          JonathanLeeJ 1 Reply Last reply Reply Quote 0
                          • JonathanLeeJ
                            JonathanLee @Dobby_
                            last edited by

                            @dobby_ I wonder how we can fix curl issues

                            Make sure to upvote

                            Dobby_D 1 Reply Last reply Reply Quote 0
                            • Dobby_D
                              Dobby_ @JonathanLee
                              last edited by Dobby_

                              @jonathanlee said in CVE forum discussion categories?:

                              @dobby_ I wonder how we can fix curl issues

                              Before it wasn`t marked as vuln. and now it is also shown
                              in the newer version, perhaps they found the problems
                              in the last days/hours and before it was not known.

                              As an example and compared to the 2.7 Devel version
                              (latest) you may able to see what we can await from
                              the real 2.7 Release.

                              2.7 devel audit 2.jpg

                              #~. @Dobby

                              Turris Omnia - 4 Ports - 2 GB RAM / TurrisOS 7 Release (Btrfs)
                              PC Engines APU4D4 - 4 Ports - 4 GB RAM / pfSense CE 2.7.2 Release (ZFS)
                              PC Engines APU6B4 - 4 Ports - 4 GB RAM / pfSense+ (Plus) 24.03_1 Release (ZFS)

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                More often than not even if something is marked as a problem in cURL, the actual bug does not affect how cURL is used in pfSense software.

                                Many of these bugs end up being about connecting to random/arbitrary malicious servers or using options/features/functions that never get enabled on pfSense, and so on.

                                So it's not enough to see that something is flagged as being potentially vulnerable you also have to know if that vulnerable use case applies to cURL in this type of environment.

                                Usually if something is worth worrying about we'll bump the package even for older releases and then people can upgrade it manually from the shell, but sometimes that isn't feasible.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 3
                                • JonathanLeeJ
                                  JonathanLee
                                  last edited by

                                  I got rid of some multiples in CURL and Strongswan by installing and uninstalling the package NUT again. NUT had some left over files from the last pfSense version.

                                  Screenshot 2023-05-23 at 7.23.13 AM.png

                                  Make sure to upvote

                                  1 Reply Last reply Reply Quote 1
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.