So, as a solution You propose me just…to stop using ntopng ? Seriously ?

If the unexposed redis vulnerabilities concern you, then yes, I definitely suggest that you stop using ntopng. There are likely much worse vulnerabilities, known and unknown, in ntopng itself.

Running any add-on package increases risk, and ntopng is a large and complicated piece of code which brings a higher level of risk than most. Of course, you have to decide for yourself what level of risk you are willing to operate with.

FWIW, as a whole I recommend use of ntopng as a diagnostic tool only. I do not recommend it as something for continual, routine operation.

@Sergei_Shablovsky said in pfSense CE 2.8 Release Candidate is Here!:

I clearly understand that most of this CVEs are out of Netgate’s obligation. But is this mean the current 2.8.0 would be in BETA until all of this CVEs would be resolved by developer’s community ?

No. It is not practical to stop the release of pfSense because there is a vulnerability in an add-on provided by the community. pfSense itself would never release.

If you want to go down that path, a much more practical approach would be for Netgate to remove the add-on from the repository until all vulnerabilities in the component and all of its dependencies were remediated. Ouch.

@Sergei_Shablovsky said in pfSense CE 2.8 Release Candidate is Here!:

redis-7.4.1 is vulnerable:
redis,valkey -- Denial-of-service valnerability due to malformed ACL selectors
CVE: CVE-2024-51741
WWW: https://vuxml.FreeBSD.org/freebsd/4d79fd1a-cc93-11ef-abed-08002784c58d.html

redis,valkey -- Remote code execution valnerability
CVE: CVE-2024-46981
WWW: https://vuxml.FreeBSD.org/freebsd/5f19ac58-cc90-11ef-abed-08002784c58d.html

redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client
CVE: CVE-2025-21605
WWW: https://vuxml.FreeBSD.org/freebsd/af8d043f-20df-11f0-b9c5-000c295725e4.html

If the redis vulnerabilities are of concern, you can completely remediate them by uninstalling the ntopng package.

So, as a solution You propose me just…to stop using ntopng ? Seriously ?

FWIW, the vuls listed don't actually impact the system as redis is started as a local-only embedded server, used only by ntopng.

Of course, I clearly understand that most of this CVEs are out of Netgate’s obligation. But is this mean the current 2.8.0 would be in BETA until all of this CVEs would be resolved by developer’s community ?

P.S.
Of course, agree with You, @dennypage if You say that NetFlow are better to use instead of a little outdated ntopng. Agree ?

redis-7.4.1 is vulnerable:
redis,valkey -- Denial-of-service valnerability due to malformed ACL selectors
CVE: CVE-2024-51741
WWW: https://vuxml.FreeBSD.org/freebsd/4d79fd1a-cc93-11ef-abed-08002784c58d.html

redis,valkey -- Remote code execution valnerability
CVE: CVE-2024-46981
WWW: https://vuxml.FreeBSD.org/freebsd/5f19ac58-cc90-11ef-abed-08002784c58d.html

redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client
CVE: CVE-2025-21605
WWW: https://vuxml.FreeBSD.org/freebsd/af8d043f-20df-11f0-b9c5-000c295725e4.html

If the redis vulnerabilities are of concern, you can completely remediate them by uninstalling the ntopng package.

FWIW, the vuls listed don't actually impact the system as redis is started as a local-only embedded server, used only by ntopng.

Are You planning to resolving this CVEs ? In which version ?

pkg audit -F

vulnxml file up-to-date
libxslt-1.1.37_1 is vulnerable:
  libxslt -- multiple vulnerabilities
  CVE: CVE-2025-24855
  CVE: CVE-2024-55549
  WWW: https://vuxml.FreeBSD.org/freebsd/a96cd659-303e-11f0-94b5-54ee755069b5.html

git-2.47.1 is vulnerable:
  git -- multiple vulnerabilities
  CVE: CVE-2024-52006
  CVE: CVE-2024-50349
  WWW: https://vuxml.FreeBSD.org/freebsd/3445e4b6-d2b8-11ef-9ff3-43c2b5d6c4c8.html

vim-9.1.0915 is vulnerable:
  vim -- Potential code execution
  WWW: https://vuxml.FreeBSD.org/freebsd/398d1ec1-f7e6-11ef-bb15-002590af0794.html

  vim -- potential data loss with zip.vim and specially crafted zip files
  CVE: CVE-2025-29768
  WWW: https://vuxml.FreeBSD.org/freebsd/9cf03c96-ffa5-11ef-bb15-002590af0794.html

  vim -- Improper Input Validation in Vim
  CVE: CVE-2025-27423
  WWW: https://vuxml.FreeBSD.org/freebsd/2ec7816d-fdb7-11ef-91ff-b42e991fc52e.html

python311-3.11.11 is vulnerable:
  cpython -- Use-after-free in "unicode_escape" decoder with error handler
  CVE: CVE-2025-4516
  WWW: https://vuxml.FreeBSD.org/freebsd/e587b52d-38ac-11f0-b7b6-dcfe074bd614.html

postgresql16-client-16.6 is vulnerable:
  PostgreSQL -- PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation
  CVE: CVE-2025-4207
  WWW: https://vuxml.FreeBSD.org/freebsd/78b8e808-2c45-11f0-9a65-6cc21735f730.html

  PostgreSQL -- PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
  CVE: CVE-2025-1094
  WWW: https://vuxml.FreeBSD.org/freebsd/fadf3b41-ea19-11ef-a540-6cc21735f730.html

suricata-7.0.8 is vulnerable:
  suricata -- Multiple vulnerabilities
  CVE: CVE-2025-29918
  CVE: CVE-2025-29917
  CVE: CVE-2025-29916
  CVE: CVE-2025-29915
  WWW: https://vuxml.FreeBSD.org/freebsd/1d53db32-0d60-11f0-8542-b42e991fc52e.html

redis-7.4.1 is vulnerable:
  redis,valkey -- Denial-of-service valnerability due to malformed ACL selectors
  CVE: CVE-2024-51741
  WWW: https://vuxml.FreeBSD.org/freebsd/4d79fd1a-cc93-11ef-abed-08002784c58d.html

  redis,valkey -- Remote code execution valnerability
  CVE: CVE-2024-46981
  WWW: https://vuxml.FreeBSD.org/freebsd/5f19ac58-cc90-11ef-abed-08002784c58d.html

  redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client
  CVE: CVE-2025-21605
  WWW: https://vuxml.FreeBSD.org/freebsd/af8d043f-20df-11f0-b9c5-000c295725e4.html

12 problem(s) in 7 installed package(s) found.