Calling all *nix Admins -PATCH YOUR CRAP-

[donhwyo]

I don't want to manage Untangle because I don't know what they have modified. I guess it is out there somewhere. But since they don't want us to do anything from the cli anyway it puts the responsibility on them. Especially with security updates. Other projects based on debian are able to do it with apt. Not just wait for the next slow roll out. It would probably speed up roll outs and reduce there bandwidth.

[sky-knight]

Untangle calls apt every single night. Security patches are pushed with that call NIGHTLY.

And again, I just confirmed that Untangle is running the same patch level as Debian 10 on DNSMasq. They aren't for sudo.

So the former is as updated as it can be, the latter is not, but also isn't much of a problem on Untangle anyway.

But yes it is on Untangle to put security backports into their repos so we get them automatically.

[donhwyo]

So it is running a cron or something?

[sky-knight]

So it is running a cron or something?

YES! And if you actually LOOKED you'd know that.

/etc/cron.daily/untangle-vm-cron

Code:

#! /bin/bash

exec > /dev/null 2>&1

# run apt-get update periodically
apt-get update --yes --allow-releaseinfo-change >/dev/null 2>&1

# remove old temp files older than 7 days (safety mechanism)
/usr/bin/find /tmp -mtime +7 -name "*.tmp" | /usr/bin/xargs -r /bin/rm

# run a full stop-the-world GC
/usr/bin/ucli gc

First line does what? Oh wait... apt's your crap. Untangle is autopatching, DAILY, has been for decades.

[donhwyo]

Thanks. I have raised this many times and never got a good answer like that before. LOL

[sky-knight]

Odd I could have sworn I've answered you before on this...

But, it may not have been clear. The thing is, that daily cron? That's how Untangle updates everything. Your signature updates, app updates, platform updates, all of that is done via apt.

That's also why Untangle has to control the repo, because if you configure apt to go against Debian repos you can get stuff to install from there... but you'll also wind up with an install that's very much NOT something that can be supported. This one line is why I warn people if you use apt to install stuff, make darned sure you undo apt's changes BEFORE the update fires at night. If you don't... box be toast.

So we get security back ports at the same time as everything else, once a day. Also, while Untangle is based on Debian, it isn't Debian. So we can't always just grab Debian packages and run with it.

[donhwyo]

Ok a new debian buster install yesterday and sudo is now.

Code:

root@debian:~# dpkg -l |grep sudo
ii  sudo                          1.8.27-1+deb10u3

Untangle is still.

Code:

[root @ homeuntangle] ~ # dpkg -l |grep sudo
ii  sudo                                    1.8.27-1+deb10u2

Will watch to see when it updates. If it is not being used why not remove it?

You asked what about "dnsmasq". https://forum.openwrt.org/t/security...bilities/85903 also https://pi-hole.net/2021/01/27/pi-ho.../#page-content Hopefully Untangle is working on these. SD-WAN is based on openwrt.

[sky-knight]

Because it doesn't matter?

The exploit requires either an admin web login, or an SSH login to Untangle. Both of which mean root access is already enabled for the person connecting. A privilege escalation bug is irrelevant when you're already escalated!

[donhwyo]

Dnsmasq has been updated on debian buster over two weeks ago.

Code:

dnsmasq (2.80-1+deb10u1) buster-security; urgency=high
   * Non-maintainer upload by the Security Team.
   * Fix DNSpooq issue: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,
     CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687.
 -- Sebastien Delafond <seb@debian.org>  Tue, 02 Feb 2021 07:52:55 +0100

Other debian systems got it within a day or two. Untangle still has not. Maybe they modify it or something. But you would think a security update with seven CVE's would be a priority.

So I guess they use apt but don't update their repo often. There are other packages not just dnsmasq.

[sky-knight]

Dnsmasq has been updated on debian buster over two weeks ago.

Code:

dnsmasq (2.80-1+deb10u1) buster-security; urgency=high
   * Non-maintainer upload by the Security Team.
   * Fix DNSpooq issue: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,
     CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687.
 -- Sebastien Delafond <seb@debian.org>  Tue, 02 Feb 2021 07:52:55 +0100

Other debian systems got it within a day or two. Untangle still has not. Maybe they modify it or something. But you would think a security update with seven CVE's would be a priority.

So I guess they use apt but don't update their repo often. There are other packages not just dnsmasq.

Yes, now on that one I'm with you. Sudo isn't important, but DNSMasq is critical, and Untangle needs to update its repo now, or stop calling itself a security company. DNSpooq is no joke.

Of course, Untangle isn't exactly alone... https://www.jsof-tech.com/disclosure...POOQ-scenarios But that's no excuse, update the package in the repo already!