curl-7.76.1 has multiple vulnerabilites

chandoo · Dec 24, 2021, 1:21 PM

Hi
I ran pkg audit i see curl has multiple vulnerabilities, i dont see any latest updates for curl packages other than reported in the repo.
I would also suggest we need to have a category for Vulnerabilities .

######## output
pkg audit
curl-7.76.1 is vulnerable:
cURL -- Multiple vulnerabilities
CVE: CVE-2021-22926
CVE: CVE-2021-22925
CVE: CVE-2021-22924
CVE: CVE-2021-22923
CVE: CVE-2021-22922
WWW: https://vuxml.FreeBSD.org/freebsd/aa646c01-ea0d-11eb-9b84-d4c9ef517024.html

1 problem(s) in 1 installed package(s) found.

[2.5.2-RELEASE]
pkg search curl
curl-7.76.1 Command line tool and library for transferring data with URLs
php74-curl-7.4.20 The curl shared extension for php

#######
Thanks
Chandoo

johnpoz · Dec 24, 2021, 1:22 PM

@chandoo While a vulnerability section might not be a bad idea.

Such tools can be misleading sometimes. Did you look at those listed?

"When libcurl is built to use the macOS native TLS library Secure Transport"
"CURLOPT_TELNETOPTIONSin libcurl"

etc.. - I don't see on any of those would be issue with pfsense running on freebsd..

Cool_Corona · Dec 24, 2021, 1:49 PM

I get this

Fetching vuln.xml.bz2: .......... done
curl-7.76.1 is vulnerable:
cURL -- Multiple vulnerabilities
CVE: CVE-2021-22947
CVE: CVE-2021-22946
CVE: CVE-2021-22945
WWW: https://vuxml.FreeBSD.org/freebsd/c9221ec9-17a2-11ec-b335-d4c9ef517024.html

cURL -- Multiple vulnerabilities
CVE: CVE-2021-22926
CVE: CVE-2021-22925
CVE: CVE-2021-22924
CVE: CVE-2021-22923
CVE: CVE-2021-22922
WWW: https://vuxml.FreeBSD.org/freebsd/aa646c01-ea0d-11eb-9b84-d4c9ef517024.html

python38-3.8.10 is vulnerable:
Python -- multiple vulnerabilities
WWW: https://vuxml.FreeBSD.org/freebsd/145ce848-1165-11ec-ac7e-08002789875b.html

mpd5-5.9 is vulnerable:
MPD5 PPPoE Server remotely exploitable crash
WWW: https://vuxml.FreeBSD.org/freebsd/f55921aa-10c9-11ec-8647-00e0670f2660.html

nss-3.66 is vulnerable:
NSS -- Memory corruption
CVE: CVE-2021-43527
WWW: https://vuxml.FreeBSD.org/freebsd/47695a9c-5377-11ec-8be6-d4c9ef517024.html

redis-6.0.14 is vulnerable:
redis -- Integer overflow issues with BITFIELD command on 32-bit systems
CVE: CVE-2021-32761
WWW: https://vuxml.FreeBSD.org/freebsd/c561ce49-eabc-11eb-9c3f-0800270512f4.html

redis -- multiple vulnerabilities
CVE: CVE-2021-32626
CVE: CVE-2021-32627
CVE: CVE-2021-32628
CVE: CVE-2021-32672
CVE: CVE-2021-32675
CVE: CVE-2021-32687
CVE: CVE-2021-32762
CVE: CVE-2021-41099
WWW: https://vuxml.FreeBSD.org/freebsd/9b4806c1-257f-11ec-9db5-0800270512f4.html

7 problem(s) in 5 installed package(s) found.

johnpoz · Dec 24, 2021, 2:14 PM

So when exactly would curl on pfsense be doing this for example

"When sending data to an MQTT server"

"redis -- Integer overflow issues with BITFIELD command on 32-bit systems"
How is that applicable?

If you were going to update every single package every time any sort of issue is found, all you would be doing is running updates.. Unless the issue is applicable to how pfsense is used, it really shouldn't be a concern..

I am all for keeping up with what is out there, and what could be issues - but it can get out of hand really quickly if every little alert is some sort of fire drill for how the sky is falling..

Pfsense and the Netgate team should be keeping abreast of issues that could effect pfsense install base. And taking the appropriate actions - if you do not trust them to do their jobs, why are you running their software?

Are you following up with the 2400 some plus CVEs currently out for windows 10? And following up with MS to what they are doing about them? ;)

What is funny to me is how on one hand you have users worried about some odd cve report for a package and use case that I just do not see how its an issue.. And then you have others running 2.3 still of pfsense ;)