Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 28
  1. #11
    Untangler
    Join Date
    May 2008
    Posts
    428

    Default

    I don't want to manage Untangle because I don't know what they have modified. I guess it is out there somewhere. But since they don't want us to do anything from the cli anyway it puts the responsibility on them. Especially with security updates. Other projects based on debian are able to do it with apt. Not just wait for the next slow roll out. It would probably speed up roll outs and reduce there bandwidth.

  2. #12
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Untangle calls apt every single night. Security patches are pushed with that call NIGHTLY.

    And again, I just confirmed that Untangle is running the same patch level as Debian 10 on DNSMasq. They aren't for sudo.

    So the former is as updated as it can be, the latter is not, but also isn't much of a problem on Untangle anyway.

    But yes it is on Untangle to put security backports into their repos so we get them automatically.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #13
    Untangler
    Join Date
    May 2008
    Posts
    428

    Default

    So it is running a cron or something?

  4. #14
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Quote Originally Posted by donhwyo View Post
    So it is running a cron or something?
    YES! And if you actually LOOKED you'd know that.

    /etc/cron.daily/untangle-vm-cron
    Code:
    #! /bin/bash
    
    exec > /dev/null 2>&1
    
    # run apt-get update periodically
    apt-get update --yes --allow-releaseinfo-change >/dev/null 2>&1
    
    # remove old temp files older than 7 days (safety mechanism)
    /usr/bin/find /tmp -mtime +7 -name "*.tmp" | /usr/bin/xargs -r /bin/rm
    
    # run a full stop-the-world GC
    /usr/bin/ucli gc
    First line does what? Oh wait... apt's your crap. Untangle is autopatching, DAILY, has been for decades.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #15
    Untangler
    Join Date
    May 2008
    Posts
    428

    Default

    Thanks. I have raised this many times and never got a good answer like that before. LOL

  6. #16
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Odd I could have sworn I've answered you before on this...

    But, it may not have been clear. The thing is, that daily cron? That's how Untangle updates everything. Your signature updates, app updates, platform updates, all of that is done via apt.

    That's also why Untangle has to control the repo, because if you configure apt to go against Debian repos you can get stuff to install from there... but you'll also wind up with an install that's very much NOT something that can be supported. This one line is why I warn people if you use apt to install stuff, make darned sure you undo apt's changes BEFORE the update fires at night. If you don't... box be toast.

    So we get security back ports at the same time as everything else, once a day. Also, while Untangle is based on Debian, it isn't Debian. So we can't always just grab Debian packages and run with it.
    donhwyo likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #17
    Untangler
    Join Date
    May 2008
    Posts
    428

    Default

    Ok a new debian buster install yesterday and sudo is now.
    Code:
    root@debian:~# dpkg -l |grep sudo
    ii  sudo                          1.8.27-1+deb10u3
    Untangle is still.
    Code:
    [root @ homeuntangle] ~ # dpkg -l |grep sudo
    ii  sudo                                    1.8.27-1+deb10u2
    Will watch to see when it updates. If it is not being used why not remove it?

    You asked what about "dnsmasq". https://forum.openwrt.org/t/security...bilities/85903 also https://pi-hole.net/2021/01/27/pi-ho.../#page-content Hopefully Untangle is working on these. SD-WAN is based on openwrt.

  8. #18
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Because it doesn't matter?

    The exploit requires either an admin web login, or an SSH login to Untangle. Both of which mean root access is already enabled for the person connecting. A privilege escalation bug is irrelevant when you're already escalated!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #19
    Untangler
    Join Date
    May 2008
    Posts
    428

    Default

    Dnsmasq has been updated on debian buster over two weeks ago.
    Code:
    dnsmasq (2.80-1+deb10u1) buster-security; urgency=high
       * Non-maintainer upload by the Security Team.
       * Fix DNSpooq issue: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,
         CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687.
     -- Sebastien Delafond <seb@debian.org>  Tue, 02 Feb 2021 07:52:55 +0100
    Other debian systems got it within a day or two. Untangle still has not. Maybe they modify it or something. But you would think a security update with seven CVE's would be a priority.

    So I guess they use apt but don't update their repo often. There are other packages not just dnsmasq.

  10. #20
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,236

    Default

    Quote Originally Posted by donhwyo View Post
    Dnsmasq has been updated on debian buster over two weeks ago.
    Code:
    dnsmasq (2.80-1+deb10u1) buster-security; urgency=high
       * Non-maintainer upload by the Security Team.
       * Fix DNSpooq issue: CVE-2020-25681, CVE-2020-25682, CVE-2020-25683,
         CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687.
     -- Sebastien Delafond <seb@debian.org>  Tue, 02 Feb 2021 07:52:55 +0100
    Other debian systems got it within a day or two. Untangle still has not. Maybe they modify it or something. But you would think a security update with seven CVE's would be a priority.

    So I guess they use apt but don't update their repo often. There are other packages not just dnsmasq.
    Yes, now on that one I'm with you. Sudo isn't important, but DNSMasq is critical, and Untangle needs to update its repo now, or stop calling itself a security company. DNSpooq is no joke.

    Of course, Untangle isn't exactly alone... https://www.jsof-tech.com/disclosure...POOQ-scenarios But that's no excuse, update the package in the repo already!
    donhwyo likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2