Results 1 to 7 of 7
  1. #1
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default Missing Critical Security Updates

    I'm on the most recent version of untangle with no updates pending within then untangle web interface. However, there are a bunch critical vulnerabilities on this recent version. When will these patches be available for installation? I get not having direct tech support on the home subscription tier, but this is not something I'd expect to see with a paid subscription for updates.

    Severity Instances
    Debian: CVE-2019-15505: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-14896: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-14901: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-10220: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-16746: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-17133: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-14897: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-14895: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-17666: linux, linux-4.9 -- security update Critical 1
    Debian: CVE-2019-19052: linux, linux-4.9 -- security update
    Debian: CVE-2018-12900: tiff -- security update Severe 1
    Debian: CVE-2018-17100: tiff -- security update Severe 1
    Debian: CVE-2019-14814: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-14816: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-14815: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-17546: gdal, tiff -- security update Severe 1
    Debian: CVE-2019-19447: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-19527: linux, linux-4.9 -- security update
    Debian: CVE-2020-10531: icu -- security update Severe 1
    Debian: CVE-2019-15917: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-18683: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-17075: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2020-2800: openjdk-11, openjdk-7, openjdk-8 -- security update Severe 1
    Debian: CVE-2019-19332: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-18282: linux, linux-4.9 -- security update
    Debian: CVE-2019-2215: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2018-20976: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-19531: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2019-19532: linux, linux-4.9 -- security update Severe 1
    Debian: CVE-2020-2781: openjdk-11, openjdk-7, openjdk-8 -- security update Severe 1
    Debian: CVE-2020-12243: openldap -- security update Severe 1
    Debian: CVE-2020-2805: openjdk-11, openjdk-7, openjdk-8 -- security update Severe 1
    Debian: CVE-2020-2803: openjdk-11, openjdk-7, openjdk-8 -- security update Severe 1
    Debian: CVE-2019-15098: linux, linux-4.9 -- security update
    Last edited by propellherhead333; 05-17-2020 at 09:03 AM.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,797

    Default

    Most recent what? v15.1 is releasing next week, and it's a full OS upgrade.

    More over, all of the back ported updates that matter have been applied to the current kernel.

    So my question is, where did you magic up this list?

    P.S. The subscription level used on Untangle has exactly zero bearing on what kernel and platform software is installed.
    mikeyscott likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,898

    Default

    Not all of the Debian CVEs are applicable to Untangle. For one, we don't recommend exposing the admin interface or ssh on the WAN. Secondly, the kernel is custom. We use a modified Debian 4.9.189-3+untangle5 which already has the security patches integrated in.

    Whatever script is generating those CVEs is only looking at a list and not analyzing the security issue. For example, CVE-2019-15505, there will be no USBs inserted into the firewall while it is running.
    Last edited by jcoffin; 05-17-2020 at 10:02 AM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,797

    Default

    The first CVE in the list involves issues with specially built USB devices breaking into stuff...

    Because you know... anything is "Secure" when someone can just shove a USB drive into it!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,284

    Red face Support policy

    Quote Originally Posted by propellherhead333 View Post
    I get not having direct tech support on the home subscription tier, but this is not something I'd expect to see with a paid subscription for updates.
    I would like to clarify this statement with my observation (I am not an employee of Untangle Inc.).

    The [Live Support] Application is not part of the HomePro subscription, correct.

    That, however does not restrict access to the:

    As shown here https://support.untangle.com/hc/en-us/articles/213702688-What-are-the-Untangle-Support-Policies

    In addition, the only restriction on access to the support specialists (interaction generally notified by E-mail) is for non-subscription users, who will be de-prioritized from the normal first-come-first-served queue during times of high ticket volumes.

    Important:
    In my previous decade of non-subscription use, there has never been a time that receiving updates to Untangle products are in any way dependent on any type of subscription. The business model just has not been structured that way. The subscriptions apply to the use of certain Applications.

    In my opinion, addressing valid security concerns and providing updates in a timely fashion is what distinguishes Untangle from the rest. It isn't easy.

    Enjoy!
    Last edited by Jim.Alles; 05-17-2020 at 12:05 PM.

  6. #6
    Untangler
    Join Date
    Mar 2020
    Posts
    42

    Default

    Quote Originally Posted by sky-knight View Post
    Most recent what? v15.1 is releasing next week, and it's a full OS upgrade.

    More over, all of the back ported updates that matter have been applied to the current kernel.

    So my question is, where did you magic up this list?

    P.S. The subscription level used on Untangle has exactly zero bearing on what kernel and platform software is installed.
    Look forward to seeing that. Particularly as only just installed UT.

  7. #7
    Untangler
    Join Date
    Sep 2019
    Location
    Canada
    Posts
    39

    Default

    The list was a vuln scan done in Nexpose. My timing of this post was a few days ahead of the major release update, so I will rescan once installed.
    Last edited by propellherhead333; 05-20-2020 at 01:45 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2