I'm new to these forums, but willing to help this project flourish. I was setting up an instance of DynFi Firewall as I'm coming from the OPNSense latest version and was looking at DynFi as my daily router/firewall. I was doing a security audit check from the firmware update section and found this:
Currently running DynFi Firewall ac7ad7b3084254a1ea71f8214a2225d465685a35 at Thu Jul 24 04:43:58 UTC 2025
Fetching vuln.xml.xz: .......... done
unbound-1.22.0_1 is vulnerable:
unbound -- Cache poisoning via the ECS-enabled Rebirthday Attack
CVE: CVE-2025-5994
sudo-1.9.16p2 is vulnerable:
sudo -- privilege escalation vulnerability through host and chroot options
CVE: CVE-2025-32463
CVE: CVE-2025-32462
expat-2.6.4 is vulnerable:
expat: improper restriction of xml entity expansion depth
CVE: CVE-2024-8176
py311-Jinja2-3.1.4 is vulnerable:
Jinja2 -- Sandbox breakout through attr filter selecting format method
CVE: CVE-2025-27516
openvpn-2.6.13 is vulnerable:
openvpn -- server-side denial-of-service vulnerability with tls-crypt-v2
CVE: CVE-2025-2704
libxml2-2.11.9 is vulnerable:
libxml2 -- Stack-based Buffer Overflow
CVE: CVE-2025-24928
libxml2 -- Use After Free
CVE: CVE-2024-56171
libxml2 -- multiple vulnerabilities
CVE: CVE-2025-49795
CVE: CVE-2025-49795
CVE: CVE-2025-49794
CVE: CVE-2025-6170
CVE: CVE-2025-6021
clamav-1.4.2,1 is vulnerable:
clamav -- ClamAV PDF Scanning Buffer Overflow Vulnerability
CVE: CVE-2025-20260
clamav -- ClamAV UDF File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
CVE: CVE-2025-20234
python311-3.11.11 is vulnerable:
cpython -- Use-after-free in "unicode_escape" decoder with error handler
CVE: CVE-2025-4516
kea-2.6.1_2 is vulnerable:
ISC KEA -- Multiple vulnerabilities
CVE: CVE-2025-32803
CVE: CVE-2025-32802
CVE: CVE-2025-32801
php82-8.2.28 is vulnerable:
php -- Multiple vulnerabilities
CVE: CVE-2025-1220
CVE: CVE-2025-6491
CVE: CVE-2025-1735
curl-8.11.1_1 is vulnerable:
curl -- Multiple vulnerabilities
CVE: CVE-2025-4947
CVE: CVE-2025-5025
py311-h11-0.14.0 is vulnerable:
h11 accepts some malformed Chunked-Encoding bodies
CVE: CVE-2025-43859
redis-7.4.2 is vulnerable:
redis,valkey -- DoS Vulnerability due to unlimited growth of output buffers abused by unauthenticated client
CVE: CVE-2025-21605
16 problem(s) in 13 installed package(s) found.
I was curious as to when these packages might become available in an update as I would prefer if my DynFI instance is internet facing I'd like to be up to date on the latest packages. One other thing I noticed, is this error in the updating process: Fetching changelog information, please wait... /usr/local/opnsense/scripts/firmware/changelog.sh: changelog_fetch: not found. Lastly, I'am running the latest DynFi Firewall version 4.04.30. Any assistance with these issues would greatly be appreciated. Thank you and have a great day.
DynFi Firewall Security Audit of packages on the 4.04.30 instance..
Moderator: gregober
Re: DynFi Firewall Security Audit of packages on the 4.04.30 instance..
Good question:
In general, we follow FreeBSD’s quarterly release schedule, which ensures regular patching for all packages embedded in DynFi Firewall.
We pay close attention to addressing critical CVEs and make every effort to provide timely updates. That said, we also maintain a longer release cycle policy, avoiding the overhead of monthly fixes as done by OPNsense.
Most CVEs listed are not exploitable within DynFi Firewall unless the attacker already has high-level (root) privileges.
In general, we follow FreeBSD’s quarterly release schedule, which ensures regular patching for all packages embedded in DynFi Firewall.
We pay close attention to addressing critical CVEs and make every effort to provide timely updates. That said, we also maintain a longer release cycle policy, avoiding the overhead of monthly fixes as done by OPNsense.
Most CVEs listed are not exploitable within DynFi Firewall unless the attacker already has high-level (root) privileges.