Security Vulnerabilities for VyOS 1.3.3 LTS

Hi, I used nessus scan and found some packages with security bugs. It doesn’t affect Vyos much but we need to patch them.


Everyone can wait the next update to patched.

Below is information for reporting security related issues.

this recommendation to use apt can break your system and it’s not supported

Remove manual guide patch

typical stance is that we are critical of remote execution exploits
since all users have root rights anyway
this will change once a new backend is introduced, and we will return operator level

Also verify so that this isnt false positives which isnt too uncommon with security scans since they dont take into account if a vulnerability have been backported or not (ie. they are just looking at version numbers instead of verifying if the assumed vulnerability is actually exploitable or not).

our issues with the Nessus scanner are ongoing
I probably need to dedicate time and get in touch with Tenable team

It does appear that these are valid vulnerabilities. The Debian security information reports the same as the posted Nessus output.

The openssl vulnerabilities appear to be focused on certs that include policy constraints, and them not being evaluated properly.

The libssh vulnerability can cause a denial of service from an authenticated attacker.

The wpa vulnerability could cause a denial of service, or potential arbitrary code execution, from an attacker within radio range.

Just a handful that I looked up manually. Some of those are in the high category. Not sure which specific one is in the critical category.

I know that this forum thread is regarding 1.3.3 LTS, but how are your results if you do the same scanning on current 1.4-rolling (VyOS 1.4-rolling-202308140557 as of writing)?

Im thinking if the issues Nessus are seeing wont resolve by themselves when you do a fresh build on 1.3.3 code but today which will drag in current packages from Debian?

That is a “quickfix” might be to release 1.3.4 LTS by just building it today compared to whenever 1.3.3 LTS was built?

Your “quickfix” works. After reading your note, I tried building 1.3.3 using the regular VyOS build scripts, and when I went through the resulting build.log file, each of these issues had been addressed, just as you expected.