Openvas scanner reports vulnerabilities for VyOS 1.3.0-epa3

Recently I upgraded my VyOS VM (hosted on VMware) to version 1.3.0-epa3 to eliminate the previously reported security vulnerabilities. But today OpenVAS reports a higher level of risk for upgraded VyOS (when scanning from inside of the system) as previous.

The following vulnerabilities were found:
Debian: Security Advisory for strongswan (DSA-4989-1) - 7.5 (High)
Debian: Security Advisory for postgresql-11 (DSA-5006-1) - 5.0 (Medium)
Missing Linux Kernel mitigations for ‘iTLB multihit’ hardware vulnerabilities - 6.5 (Medium)
Missing Linux Kernel mitigations for ‘MDS - Microarchitectural Data Sampling’ hardware vulnerabilities - 5.6 (Medium)
Missing Linux Kernel mitigations for ‘SSB - Speculative Store Bypass’ hardware vulnerabilities - 5.5 (Medium)

The first two vulnerabilities concern outdated packages in the system. Is it possible to install newer versions of these packages in VyOS or uninstall them completely?


Hello @Dave , are you sure that this scanner checked VyOS? Did you manually install postgresql-11 on VyOS?

Hello @Dmitry,
Yes, i’m pretty sure that scanner checked VyOS internally via SSH session. I haven’t installed any additional packages on this VyOS, especially postgresql-11. It’s a clean system with no manually installed additions.

Hi @Dave , check please installed packages
sudo dpkg -l | grep postgre
In the next EPA release or LTS, packets should be updated automatically, but you always can find the required packet on the Debian repo and update it manually, like dpkg -i package_file

Hi @Dmitry,
very strange, it looks like the package is not installed at all:

I have updated all the Debian packages indicated in the report and the vulnerability rating has dropped significantly. Only hardware or hypervisor-related vulnerabilities remain: