Recently I upgraded my VyOS VM (hosted on VMware) to version 1.3.0-epa3 to eliminate the previously reported security vulnerabilities. But today OpenVAS reports a higher level of risk for upgraded VyOS (when scanning from inside of the system) as previous.
The following vulnerabilities were found:
Debian: Security Advisory for strongswan (DSA-4989-1) - 7.5 (High)
Debian: Security Advisory for postgresql-11 (DSA-5006-1) - 5.0 (Medium)
Missing Linux Kernel mitigations for ‘iTLB multihit’ hardware vulnerabilities - 6.5 (Medium)
Missing Linux Kernel mitigations for ‘MDS - Microarchitectural Data Sampling’ hardware vulnerabilities - 5.6 (Medium)
Missing Linux Kernel mitigations for ‘SSB - Speculative Store Bypass’ hardware vulnerabilities - 5.5 (Medium)
The first two vulnerabilities concern outdated packages in the system. Is it possible to install newer versions of these packages in VyOS or uninstall them completely?