CVE forum discussion categories?

Dobby_ · May 17, 2023, 4:54 AM

@rcoleman-netgate
On 23.05 RC
pfBlockerNG_v3.2.0_5

On 2.7 devel
pfBlockerNG_v3.2.0_4

@JonathanLee
23.05 RC

2.7 Devel

JonathanLee · May 17, 2023, 4:56 AM

@dobby_ i noticed strongswan also shows as an issue for me. I am still running 23.01 the version before 23.05.

rcoleman-netgate · May 17, 2023, 4:56 AM

@jonathanlee said in CVE forum discussion categories?:

@rcoleman-netgate I have Squidguard, squid, squidlite, cron, watchdog, snort, patches,

I suspect curl() is required by System Patches. You can find dependencies from the System->Packages page.

Dobby_ · May 17, 2023, 5:05 AM

@jonathanlee said in CVE forum discussion categories?:

@dobby_ i noticed strongswan also shows as an issue for me. I am still running 23.01 the version before 23.05.

Many patches were finding its way into the 23.05 and
on top I think there will be more actual packages ad/or
other version inside that will be not anymore affected
by the vuln`s you were presenting.

23.05 RC Strongswan

[23.05-RC][root@xx xx xx]/root: pkg info strongswan
strongswan-5.9.10_2
Name           : strongswan
Version        : 5.9.10_2
Installed on   : Wed May 10 22:13:58 2023 CEST
Origin         : security/strongswan
Architecture   : FreeBSD:14:amd64
Prefix         : /usr/local
Categories     : security net-vpn
Licenses       : GPLv2
Maintainer     : strongswan@nanoteq.com
WWW            : https://www.strongswan.org
Comment        : Open Source IKEv2 IPsec-based VPN solution
Options        :
        BUILTIN        : off
        CTR            : off
        CURL           : on
        EAPAKA3GPP2    : off
        EAPDYNAMIC     : on
        EAPRADIUS      : on
        EAPSIMFILE     : on
        FARP           : off
        GCM            : on
        IKEV1          : on
        IPSECKEY       : on
        KDF            : on
        KERNELLIBIPSEC : off
        LDAP           : off
        LIBC           : off
        LOADTESTER     : off
        MEDIATION      : off
        MYSQL          : off
        PKCS11         : on
        PKI            : on
        PYTHON         : off
        SCEP           : off
        SMP            : off
        SQLITE         : off
        SWANCTL        : on
        TESTVECTOR     : off
        TPM            : off
        TSS2           : off
        UNBOUND        : on
        UNITY          : on
        VICI           : on
        VSTR           : on
        XAUTH          : on
Shared Libs required:
        libvstr-1.0.so.0
        libunbound.so.8
        libldns.so.3
        libcurl.so.4
Shared Libs provided:
        libvici.so.0
        libtls.so.0
        libstrongswan.so.0
        libstrongswan-xcbc.so
        libstrongswan-xauth-pam.so
        libstrongswan-xauth-generic.so
        libstrongswan-xauth-eap.so
        libstrongswan-x509.so
        libstrongswan-whitelist.so
        libstrongswan-vici.so
        libstrongswan-updown.so
        libstrongswan-unity.so
        libstrongswan-unbound.so
        libstrongswan-stroke.so
        libstrongswan-sshkey.so
        libstrongswan-socket-default.so
        libstrongswan-sha2.so
        libstrongswan-sha1.so
        libstrongswan-revocation.so
        libstrongswan-resolve.so
        libstrongswan-rc2.so
        libstrongswan-random.so
        libstrongswan-pubkey.so
        libstrongswan-pkcs8.so
        libstrongswan-pkcs7.so
        libstrongswan-pkcs12.so
        libstrongswan-pkcs11.so
        libstrongswan-pkcs1.so
        libstrongswan-pgp.so
        libstrongswan-pem.so
        libstrongswan-openssl.so
        libstrongswan-nonce.so
        libstrongswan-md5.so
        libstrongswan-md4.so
        libstrongswan-kernel-pfroute.so
        libstrongswan-kernel-pfkey.so
        libstrongswan-kdf.so
        libstrongswan-ipseckey.so
        libstrongswan-hmac.so
        libstrongswan-gcm.so
        libstrongswan-fips-prf.so
        libstrongswan-eap-ttls.so
        libstrongswan-eap-tls.so
        libstrongswan-eap-sim.so
        libstrongswan-eap-sim-file.so
        libstrongswan-eap-radius.so
        libstrongswan-eap-peap.so
        libstrongswan-eap-mschapv2.so
        libstrongswan-eap-md5.so
        libstrongswan-eap-identity.so
        libstrongswan-eap-dynamic.so
        libstrongswan-drbg.so
        libstrongswan-dnskey.so
        libstrongswan-des.so
        libstrongswan-curve25519.so
        libstrongswan-curl.so
        libstrongswan-counters.so
        libstrongswan-constraints.so
        libstrongswan-cmac.so
        libstrongswan-blowfish.so
        libstrongswan-attr.so
        libstrongswan-aes.so
        libstrongswan-addrblock.so
        libsimaka.so.0
        libradius.so.0
        libcharon.so.0
Annotations    :
        FreeBSD_version: 1400085
        build_timestamp: 2023-05-04T17:08:03+0000
        built_by       : poudriere-git-3.3.99.20220831
        cpe            : cpe:2.3:a:strongswan:strongswan:5.9.10:::::freebsd14:x64:2
        port_checkout_unclean: no
        port_git_hash  : 78ba9de1f8df
        ports_top_checkout_unclean: yes
        ports_top_git_hash: e7f28213b661
        repo_type      : binary
        repository     : pfSense
Flat size      : 3.24MiB
Description    :
Strongswan is an open source IPsec-based VPN solution.
Strongswan for FreeBSD implements both the IKEv1 and IKEv2 (RFC 5996) key
exchange protocols.

WWW: https://www.strongswan.org

2.7 Strongswan

[2.7.0-DEVELOPMENT][root@xx xx xx]/root: pkg info strongswan
strongswan-5.9.10_2
Name           : strongswan
Version        : 5.9.10_2
Installed on   : Mon May  8 21:38:18 2023 CEST
Origin         : security/strongswan
Architecture   : FreeBSD:14:amd64
Prefix         : /usr/local
Categories     : security net-vpn
Licenses       : GPLv2
Maintainer     : strongswan@nanoteq.com
WWW            : https://www.strongswan.org
Comment        : Open Source IKEv2 IPsec-based VPN solution
Options        :
        BUILTIN        : off
        CTR            : off
        CURL           : on
        EAPAKA3GPP2    : off
        EAPDYNAMIC     : on
        EAPRADIUS      : on
        EAPSIMFILE     : on
        FARP           : off
        GCM            : on
        IKEV1          : on
        IPSECKEY       : on
        KDF            : on
        KERNELLIBIPSEC : off
        LDAP           : off
        LIBC           : off
        LOADTESTER     : off
        MEDIATION      : off
        MYSQL          : off
        PKCS11         : on
        PKI            : on
        PYTHON         : off
        SCEP           : off
        SMP            : off
        SQLITE         : off
        SWANCTL        : on
        TESTVECTOR     : off
        TPM            : off
        TSS2           : off
        UNBOUND        : on
        UNITY          : on
        VICI           : on
        VSTR           : on
        XAUTH          : on
Shared Libs required:
        libvstr-1.0.so.0
        libunbound.so.8
        libldns.so.3
        libcurl.so.4
Shared Libs provided:
        libvici.so.0
        libtls.so.0
        libstrongswan.so.0
        libstrongswan-xcbc.so
        libstrongswan-xauth-pam.so
        libstrongswan-xauth-generic.so
        libstrongswan-xauth-eap.so
        libstrongswan-x509.so
        libstrongswan-whitelist.so
        libstrongswan-vici.so
        libstrongswan-updown.so
        libstrongswan-unity.so
        libstrongswan-unbound.so
        libstrongswan-stroke.so
        libstrongswan-sshkey.so
        libstrongswan-socket-default.so
        libstrongswan-sha2.so
        libstrongswan-sha1.so
        libstrongswan-revocation.so
        libstrongswan-resolve.so
        libstrongswan-rc2.so
        libstrongswan-random.so
        libstrongswan-pubkey.so
        libstrongswan-pkcs8.so
        libstrongswan-pkcs7.so
        libstrongswan-pkcs12.so
        libstrongswan-pkcs11.so
        libstrongswan-pkcs1.so
        libstrongswan-pgp.so
        libstrongswan-pem.so
        libstrongswan-openssl.so
        libstrongswan-nonce.so
        libstrongswan-md5.so
        libstrongswan-md4.so
        libstrongswan-kernel-pfroute.so
        libstrongswan-kernel-pfkey.so
        libstrongswan-kdf.so
        libstrongswan-ipseckey.so
        libstrongswan-hmac.so
        libstrongswan-gcm.so
        libstrongswan-fips-prf.so
        libstrongswan-eap-ttls.so
        libstrongswan-eap-tls.so
        libstrongswan-eap-sim.so
        libstrongswan-eap-sim-file.so
        libstrongswan-eap-radius.so
        libstrongswan-eap-peap.so
        libstrongswan-eap-mschapv2.so
        libstrongswan-eap-md5.so
        libstrongswan-eap-identity.so
        libstrongswan-eap-dynamic.so
        libstrongswan-drbg.so
        libstrongswan-dnskey.so
        libstrongswan-des.so
        libstrongswan-curve25519.so
        libstrongswan-curl.so
        libstrongswan-counters.so
        libstrongswan-constraints.so
        libstrongswan-cmac.so
        libstrongswan-blowfish.so
        libstrongswan-attr.so
        libstrongswan-aes.so
        libstrongswan-addrblock.so
        libsimaka.so.0
        libradius.so.0
        libcharon.so.0
Annotations    :
        FreeBSD_version: 1400085
        build_timestamp: 2023-04-27T06:52:01+0000
        built_by       : poudriere-git-3.3.99.20220831
        cpe            : cpe:2.3:a:strongswan:strongswan:5.9.10:::::freebsd14:x64:2
        port_checkout_unclean: no
        port_git_hash  : 78ba9de1f8df
        ports_top_checkout_unclean: yes
        ports_top_git_hash: 78ba9de1f8df
        repo_type      : binary
        repository     : pfSense
Flat size      : 3.24MiB
Description    :
Strongswan is an open source IPsec-based VPN solution.
Strongswan for FreeBSD implements both the IKEv1 and IKEv2 (RFC 5996) key
exchange protocols.

WWW: https://www.strongswan.org

JonathanLee · May 17, 2023, 7:07 PM

@dobby_ how did you update curl?

Dobby_ · May 17, 2023, 7:14 PM

@jonathanlee said in CVE forum discussion categories?:

@dobby_ how did you update curl?

I never did that! I was only installing 23.05 RC and on the
other hardware 2.7 Devel, both are amd64 (x86_64), so
I don´t know in real but I am imagine that in the newer
versions are also newer packets (pkg`s) installed or the
last available versions of some packets, modules and so
on and so on.

mer · May 18, 2023, 11:23 AM

pkg info -r curl should tell you what packages are depending on the curl package

JonathanLee · May 22, 2023, 10:38 PM

@mer

After the update to 23.05

It is like I have two different versions installed.

Dobby_ · May 23, 2023, 2:27 AM

@jonathanlee

This time I have one more then you!

JonathanLee · May 23, 2023, 2:27 AM

@dobby_ I wonder how we can fix curl issues

Dobby_ · May 23, 2023, 7:59 AM

@jonathanlee said in CVE forum discussion categories?:

@dobby_ I wonder how we can fix curl issues

Before it wasn`t marked as vuln. and now it is also shown
in the newer version, perhaps they found the problems
in the last days/hours and before it was not known.

As an example and compared to the 2.7 Devel version
(latest) you may able to see what we can await from
the real 2.7 Release.

jimp · May 23, 2023, 12:57 PM

More often than not even if something is marked as a problem in cURL, the actual bug does not affect how cURL is used in pfSense software.

Many of these bugs end up being about connecting to random/arbitrary malicious servers or using options/features/functions that never get enabled on pfSense, and so on.

So it's not enough to see that something is flagged as being potentially vulnerable you also have to know if that vulnerable use case applies to cURL in this type of environment.

Usually if something is worth worrying about we'll bump the package even for older releases and then people can upgrade it manually from the shell, but sometimes that isn't feasible.

JonathanLee · May 23, 2023, 2:24 PM

I got rid of some multiples in CURL and Strongswan by installing and uninstalling the package NUT again. NUT had some left over files from the last pfSense version.