Page MenuHomeVyOS Platform
Create Task
Maniphest T5318

Security Vulnerabilities for VyOS 1.3.3
Closed, ResolvedPublicBUG
Actions

Assigned To
dmbaturin
Authored By
cuongdt1994
Jun 27 2023, 7:52 PM
Tags
Referenced Files
F3793509: image.png
Jun 27 2023, 7:54 PM
F3793507: image.png
Jun 27 2023, 7:54 PM
F3793505: image.png
Jun 27 2023, 7:54 PM
F3793502: image.png
Jun 27 2023, 7:54 PM
F3793500: Router_zyh3oa.html
Jun 27 2023, 7:52 PM
Subscribers
Apachez
cuongdt1994
pasik
Maintainers

Description

Hi, I used Nessus scan and found some packages with security bugs. It doesn’t affect VYOS to much but we need to patch them.

Please see in report.

Found many vulnerabilities with affect Denial of Service.

image.png (484×1 px, 25 KB)

image.png (906×1 px, 83 KB)

image.png (872×1 px, 82 KB)

image.png (952×1 px, 88 KB)

Router_zyh3oa.html366 KBDownload

Details

Difficulty level
Easy (less than an hour)
Version
Vyos 1.3.3
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Security vulnerability

Related Objects

Mentioned In
1.3.6

Event Timeline

cuongdt1994 created this task.Jun 27 2023, 7:52 PM
cuongdt1994 updated the task description. (Show Details)
cuongdt1994 renamed this task from Security Vulnerabilities to Security Vulnerabilities for VyOS 1.3.3 .Jun 27 2023, 7:54 PM
pasik added a subscriber: pasik.Jun 27 2023, 8:25 PM
Apachez added a subscriber: Apachez.Aug 25 2023, 9:08 PM

I assume this will fix by itself if you build your own 1.3.3 LTS from sources today since 1.3.3 LTS was released in june 2023:

https://blog.vyos.io/vyos-1.3.3-lts-release

Or wait for 1.3.4 LTS to be released (which would also automagically fix most of these findings).

The thing with VyOS builds is that they will use current version of packages for the Debian version the build is based on, which for 1.3 series looks to be Debian 10 buster - where 1.4 series is based on Debian 12 bookworm.

That is if the released 1.3.3 LTS was built mid june 2023 this means if you build 1.3.3 LTS yourself today 25 aug that will include all the fixes that have been released for Debian 10 buster between mid june 2023 until late aug 2023.

syncer edited projects, added VyOS 1.3 Equuleus (1.3.5); removed VyOS 1.3 Equuleus (1.3.4).Aug 25 2023, 9:29 PM
syncer edited projects, added VyOS 1.3 Equuleus (1.3.6); removed VyOS 1.3 Equuleus (1.3.5).Dec 17 2023, 11:36 PM
dmbaturin closed this task as Resolved.Jan 8 2024, 6:35 PM
dmbaturin claimed this task.
dmbaturin mentioned this in 1.3.6.Feb 3 2024, 1:59 AM