CVE forum discussion categories?
-
@dobby_ i noticed strongswan also shows as an issue for me. I am still running 23.01 the version before 23.05.
-
@jonathanlee said in CVE forum discussion categories?:
@rcoleman-netgate I have Squidguard, squid, squidlite, cron, watchdog, snort, patches,
I suspect curl() is required by System Patches. You can find dependencies from the System->Packages page.
-
@jonathanlee said in CVE forum discussion categories?:
@dobby_ i noticed strongswan also shows as an issue for me. I am still running 23.01 the version before 23.05.
Many patches were finding its way into the 23.05 and
on top I think there will be more actual packages ad/or
other version inside that will be not anymore affected
by the vuln`s you were presenting.23.05 RC Strongswan
[23.05-RC][root@xx xx xx]/root: pkg info strongswan strongswan-5.9.10_2 Name : strongswan Version : 5.9.10_2 Installed on : Wed May 10 22:13:58 2023 CEST Origin : security/strongswan Architecture : FreeBSD:14:amd64 Prefix : /usr/local Categories : security net-vpn Licenses : GPLv2 Maintainer : strongswan@nanoteq.com WWW : https://www.strongswan.org Comment : Open Source IKEv2 IPsec-based VPN solution Options : BUILTIN : off CTR : off CURL : on EAPAKA3GPP2 : off EAPDYNAMIC : on EAPRADIUS : on EAPSIMFILE : on FARP : off GCM : on IKEV1 : on IPSECKEY : on KDF : on KERNELLIBIPSEC : off LDAP : off LIBC : off LOADTESTER : off MEDIATION : off MYSQL : off PKCS11 : on PKI : on PYTHON : off SCEP : off SMP : off SQLITE : off SWANCTL : on TESTVECTOR : off TPM : off TSS2 : off UNBOUND : on UNITY : on VICI : on VSTR : on XAUTH : on Shared Libs required: libvstr-1.0.so.0 libunbound.so.8 libldns.so.3 libcurl.so.4 Shared Libs provided: libvici.so.0 libtls.so.0 libstrongswan.so.0 libstrongswan-xcbc.so libstrongswan-xauth-pam.so libstrongswan-xauth-generic.so libstrongswan-xauth-eap.so libstrongswan-x509.so libstrongswan-whitelist.so libstrongswan-vici.so libstrongswan-updown.so libstrongswan-unity.so libstrongswan-unbound.so libstrongswan-stroke.so libstrongswan-sshkey.so libstrongswan-socket-default.so libstrongswan-sha2.so libstrongswan-sha1.so libstrongswan-revocation.so libstrongswan-resolve.so libstrongswan-rc2.so libstrongswan-random.so libstrongswan-pubkey.so libstrongswan-pkcs8.so libstrongswan-pkcs7.so libstrongswan-pkcs12.so libstrongswan-pkcs11.so libstrongswan-pkcs1.so libstrongswan-pgp.so libstrongswan-pem.so libstrongswan-openssl.so libstrongswan-nonce.so libstrongswan-md5.so libstrongswan-md4.so libstrongswan-kernel-pfroute.so libstrongswan-kernel-pfkey.so libstrongswan-kdf.so libstrongswan-ipseckey.so libstrongswan-hmac.so libstrongswan-gcm.so libstrongswan-fips-prf.so libstrongswan-eap-ttls.so libstrongswan-eap-tls.so libstrongswan-eap-sim.so libstrongswan-eap-sim-file.so libstrongswan-eap-radius.so libstrongswan-eap-peap.so libstrongswan-eap-mschapv2.so libstrongswan-eap-md5.so libstrongswan-eap-identity.so libstrongswan-eap-dynamic.so libstrongswan-drbg.so libstrongswan-dnskey.so libstrongswan-des.so libstrongswan-curve25519.so libstrongswan-curl.so libstrongswan-counters.so libstrongswan-constraints.so libstrongswan-cmac.so libstrongswan-blowfish.so libstrongswan-attr.so libstrongswan-aes.so libstrongswan-addrblock.so libsimaka.so.0 libradius.so.0 libcharon.so.0 Annotations : FreeBSD_version: 1400085 build_timestamp: 2023-05-04T17:08:03+0000 built_by : poudriere-git-3.3.99.20220831 cpe : cpe:2.3:a:strongswan:strongswan:5.9.10:::::freebsd14:x64:2 port_checkout_unclean: no port_git_hash : 78ba9de1f8df ports_top_checkout_unclean: yes ports_top_git_hash: e7f28213b661 repo_type : binary repository : pfSense Flat size : 3.24MiB Description : Strongswan is an open source IPsec-based VPN solution. Strongswan for FreeBSD implements both the IKEv1 and IKEv2 (RFC 5996) key exchange protocols. WWW: https://www.strongswan.org
2.7 Strongswan
[2.7.0-DEVELOPMENT][root@xx xx xx]/root: pkg info strongswan strongswan-5.9.10_2 Name : strongswan Version : 5.9.10_2 Installed on : Mon May 8 21:38:18 2023 CEST Origin : security/strongswan Architecture : FreeBSD:14:amd64 Prefix : /usr/local Categories : security net-vpn Licenses : GPLv2 Maintainer : strongswan@nanoteq.com WWW : https://www.strongswan.org Comment : Open Source IKEv2 IPsec-based VPN solution Options : BUILTIN : off CTR : off CURL : on EAPAKA3GPP2 : off EAPDYNAMIC : on EAPRADIUS : on EAPSIMFILE : on FARP : off GCM : on IKEV1 : on IPSECKEY : on KDF : on KERNELLIBIPSEC : off LDAP : off LIBC : off LOADTESTER : off MEDIATION : off MYSQL : off PKCS11 : on PKI : on PYTHON : off SCEP : off SMP : off SQLITE : off SWANCTL : on TESTVECTOR : off TPM : off TSS2 : off UNBOUND : on UNITY : on VICI : on VSTR : on XAUTH : on Shared Libs required: libvstr-1.0.so.0 libunbound.so.8 libldns.so.3 libcurl.so.4 Shared Libs provided: libvici.so.0 libtls.so.0 libstrongswan.so.0 libstrongswan-xcbc.so libstrongswan-xauth-pam.so libstrongswan-xauth-generic.so libstrongswan-xauth-eap.so libstrongswan-x509.so libstrongswan-whitelist.so libstrongswan-vici.so libstrongswan-updown.so libstrongswan-unity.so libstrongswan-unbound.so libstrongswan-stroke.so libstrongswan-sshkey.so libstrongswan-socket-default.so libstrongswan-sha2.so libstrongswan-sha1.so libstrongswan-revocation.so libstrongswan-resolve.so libstrongswan-rc2.so libstrongswan-random.so libstrongswan-pubkey.so libstrongswan-pkcs8.so libstrongswan-pkcs7.so libstrongswan-pkcs12.so libstrongswan-pkcs11.so libstrongswan-pkcs1.so libstrongswan-pgp.so libstrongswan-pem.so libstrongswan-openssl.so libstrongswan-nonce.so libstrongswan-md5.so libstrongswan-md4.so libstrongswan-kernel-pfroute.so libstrongswan-kernel-pfkey.so libstrongswan-kdf.so libstrongswan-ipseckey.so libstrongswan-hmac.so libstrongswan-gcm.so libstrongswan-fips-prf.so libstrongswan-eap-ttls.so libstrongswan-eap-tls.so libstrongswan-eap-sim.so libstrongswan-eap-sim-file.so libstrongswan-eap-radius.so libstrongswan-eap-peap.so libstrongswan-eap-mschapv2.so libstrongswan-eap-md5.so libstrongswan-eap-identity.so libstrongswan-eap-dynamic.so libstrongswan-drbg.so libstrongswan-dnskey.so libstrongswan-des.so libstrongswan-curve25519.so libstrongswan-curl.so libstrongswan-counters.so libstrongswan-constraints.so libstrongswan-cmac.so libstrongswan-blowfish.so libstrongswan-attr.so libstrongswan-aes.so libstrongswan-addrblock.so libsimaka.so.0 libradius.so.0 libcharon.so.0 Annotations : FreeBSD_version: 1400085 build_timestamp: 2023-04-27T06:52:01+0000 built_by : poudriere-git-3.3.99.20220831 cpe : cpe:2.3:a:strongswan:strongswan:5.9.10:::::freebsd14:x64:2 port_checkout_unclean: no port_git_hash : 78ba9de1f8df ports_top_checkout_unclean: yes ports_top_git_hash: 78ba9de1f8df repo_type : binary repository : pfSense Flat size : 3.24MiB Description : Strongswan is an open source IPsec-based VPN solution. Strongswan for FreeBSD implements both the IKEv1 and IKEv2 (RFC 5996) key exchange protocols. WWW: https://www.strongswan.org
-
@dobby_ how did you update curl?
-
@jonathanlee said in CVE forum discussion categories?:
@dobby_ how did you update curl?
I never did that! I was only installing 23.05 RC and on the
other hardware 2.7 Devel, both are amd64 (x86_64), so
I don´t know in real but I am imagine that in the newer
versions are also newer packets (pkg`s) installed or the
last available versions of some packets, modules and so
on and so on. -
pkg info -r curl should tell you what packages are depending on the curl package
-
-
This time I have one more then you!
-
@dobby_ I wonder how we can fix curl issues
-
@jonathanlee said in CVE forum discussion categories?:
@dobby_ I wonder how we can fix curl issues
Before it wasn`t marked as vuln. and now it is also shown
in the newer version, perhaps they found the problems
in the last days/hours and before it was not known.As an example and compared to the 2.7 Devel version
(latest) you may able to see what we can await from
the real 2.7 Release. -
More often than not even if something is marked as a problem in cURL, the actual bug does not affect how cURL is used in pfSense software.
Many of these bugs end up being about connecting to random/arbitrary malicious servers or using options/features/functions that never get enabled on pfSense, and so on.
So it's not enough to see that something is flagged as being potentially vulnerable you also have to know if that vulnerable use case applies to cURL in this type of environment.
Usually if something is worth worrying about we'll bump the package even for older releases and then people can upgrade it manually from the shell, but sometimes that isn't feasible.
-
I got rid of some multiples in CURL and Strongswan by installing and uninstalling the package NUT again. NUT had some left over files from the last pfSense version.