Results 1 to 9 of 9

Thread: Cve-2020-8597 ?

  1. #1
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default Cve-2020-8597 ?

    https://nvd.nist.gov/vuln/detail/CVE-2020-8597

    ppp seems to be installed not sure if anything is actually using it.

    Code:
    dpkg -l |grep ppp
    ii  ppp                                   2.4.7-1+4                                                       amd64        Point-to-Point Protocol (PPP) - daemon
    ii  pppoe                                 3.12-1.1                                                        amd64        PPP over Ethernet driver
    2.4.7-1+4 version is vulnerable. Don't see the pppoe version listed?

    https://security-tracker.debian.org/tracker/DSA-4632-1

    FYI

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,173

    Default

    https://www.debian.org/security/2020/dsa-4632

    Fix is already in the repo, it'll make it downstream soon enough.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default

    That's the point. Every other debian system or appliance I have got the fix already. Only one not updated is the untangle. Probably the most important. Most other appliances use apt to keep things up to date. They hold back packages they modify only. It allows them to work on what they do and get updates out quicker. With less pressure to push the next version to catch up. Also less band width to the project.

    Don't know that this is that big of a deal. But if the next one or the one after that is?

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,173

    Default

    This happens all the time, Untangle isn't Debian. I'm not sure as to the nature of this specific bug against the overall platform but it's almost never an issue. In this case, I wouldn't be surprised if it's only a potential issue if you're using PPPoE.
    f1assistance likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default

    This one is probably not that big a deal. It's been there for 17 years. LOL

    What will tomorrow bring though? Being prepared is better than catching up. See current headlines.

  6. #6
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,495

    Default

    Quote Originally Posted by donhwyo View Post
    What will tomorrow bring though?
    I see you've been a member of this forum (and I hope a user of Untangle) since 2008, and you now ask this question, seriously?
    I'd be interested in ANY perimeter device which has successfully pulled off what you believe Untangle isn't or should. #LookingGlass
    I've seen our whole industry from its beginning, built on "insecurity's" loose sand and simply react to everything NO one anticipated, and I foresee such will continue indefinitely.
    Personally, I've yet to find a client willing to make the difficult choices which would achieve what you insinuate is currently missing in Untangle. I believe you have the best in Untangle across all matrixes, present and future. My past with Untangle I'd argue proves my future with Untangle, and I'm confidently betting my and my clients digital assets on their previous performance in all areas! drops mic
    Last edited by f1assistance; 03-14-2020 at 05:40 PM.
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  7. #7
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default

    I have been using and recommending untangle a year or 2 longer than becoming a forum member. I have only had 2 problems and both were fixed by support without a license. So I can't complain at all.

    Every cve that I have looked at untangle packages on have been bone stock debian. I know they modify some packages like the kernel and others. Many projects like proxmox do too. Unmoded packages update from debian repos. Saving bandwidth, one of the main reasons for the delay pushing out new versions. If they mod a package they hold it back until they fix there version.

    Maybe with 15.1 being such a big download somebody will realize it might make sense.

  8. #8
    Untangler
    Join Date
    May 2008
    Posts
    398

    Default

    Quote Originally Posted by sky-knight View Post
    This happens all the time, Untangle isn't Debian. I'm not sure as to the nature of this specific bug against the overall platform but it's almost never an issue. In this case, I wouldn't be surprised if it's only a potential issue if you're using PPPoE.
    From the jira description. "or the stretch-to-buster one, however, I'm hoping it should be simpler: what we're running right now on top of stretch does indeed not deviate a whole lot from a vanilla stretch install."

    https://jira.untangle.com/browse/NGF...n%20%3D%2015.1

    FYI

  9. #9
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,698

    Default

    Update is coming soon.

    [root @ untangle-u25] ~ # dpkg -l | grep ppp
    ii ppp 2.4.7-1+4+deb9u1 i386 Point-to-Point Protocol (PPP) - daemon
    ii pppoe 3.12-1.1 i386 PPP over Ethernet driver
    [root @ untangle-u25] ~ # dpkg -l | grep untangle-vm
    ii untangle-vm 15.0.0.20200317T101940.81f051861c-1stretch all UVM Platform
    f1assistance and donhwyo like this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2