Welcome Guest, Not a member yet? Create Account  




Outstanding CVEs against VyOS components

#1
(This post was last modified: 18/08/2017, 20:06 by drmille.)

Is the VyOS community aware that there are several outstanding CVEs that are not included in the currently available image and will the community build a new image with these patches included in it and release it?
For instance:
StrongSwan
CVE-2017-9023
CVE-2017-9022
CVE-2015-8023
CVE-2015-4171
CVE-2014-9221
CVE-2014-2891
CVE-2014-2338
 
and
OpenVPN
CVE-2017-7522
CVE-2017-7521
CVE-2017-7520
CVE-2017-7508
CVE-2017-7479
CVE-2017-7478
CVE-2017-5868
CVE-2016-6329

Are we able to update the ipsec & openvpn OSS components separately?

Thanks in advance.
Reply

#2

Hello,
thank you for extensive list of CVEs in one place,
i created corresponding tasks (grap account if you don't  have it already)
https://phabricator.vyos.net/T354
https://phabricator.vyos.net/T355

In 1.1.x series is complicated to update separate components, instead image must be built
We now working on 1.1.8 in which at least part of this CVEs will be covered (and other not related to ovpn and strongswan)

In 1.2.x package updates will be more straightforward
Also some CVEs can be irrelevant
latest builds can be found here - http://dev.packages.vyos.net/iso/current/amd64/
============
Open source routing platform for everyone!
Donate to VyOS project!

Looking for professional services?
Get them here!
Reply

#3

In 1.1.x series is complicated to update separate components, instead image must be built
  • When you say image must be built, do you mean by the VyOS community or do you mean we can apply patches ourselves and then create our own image?

We now working on 1.1.8 in which at least part of this CVEs will be covered (and other not related to ovpn and strongswan)
  • Can you tell me which CVEs will be covered by 1.1.8?
  • Can you tell me when 1.1.8 will be released?
In 1.2.x package updates will be more straightforward
  • Can you tell me when 1.2.x will be released?
  • How does 1.2.x differ from 1.1.8?
Also some CVEs can be irrelevant
  • Of the list I provided, can you tell me which CVEs are irrelevant?
Reply

#4

Quote:
  • When you say image must be built, do you mean by the VyOS community or do you mean we can apply patches ourselves and then create our own image?
You can.


Quote:
  • Can you tell me which CVEs will be covered by 1.1.8?
  • Can you tell me when 1.1.8 will be released?
Check corresponding tasks for CVEs
No ETAs


Quote:
  • Can you tell me when 1.2.x will be released?
  • How does 1.2.x differ from 1.1.8?
No ETAs,
1.1.x build on debian 6 
1.2.x build on debian 8


Quote:
  • Of the list I provided, can you tell me which CVEs are irrelevant?
See discussions in corresponding tasks
============
Open source routing platform for everyone!
Donate to VyOS project!

Looking for professional services?
Get them here!
Reply





Users browsing this thread:
2 Guest(s)