>That wasn’t a security incident for OpnSense. It was a CVE for an optional package most users probably don’t have installed.
First of all, the point is that the OS didn't release CVE fixes for the packages in its repositories even though it had already committed those fixes to version control. Notice that my comment specifically talks about "delay in security response", not that it was an "emergency".
>That user is completely unreasonable. Opnsense should refund their money (if any lol)
Second, I recommend reading the comment you respond to carefully before you rush to make an account to respond to it. "That user" is me. The GH thread has a clear comment from me that I did not pay them any money and do not have any expectation of support.
Third, notice that the point of the GH thread was me asking what their policy of releasing CVE fixes was. You seem to think I was some Karen complaining that they hadn't released the fix. All I asked was a confirmation that they're aware that they're shipping a package with a CVE, that they've already fixed the package but just not published it, and what their policy is for releasing fixes in general.
They could've responded with something like "We're aware of the CVE but we don't plan to release the fix in 23.1. Our policy is to only release bugfixes for non-critical packages in the next stable release, and we consider os-haproxy to be a non-critical package."
Instead they got weirdly defensive about it, tried to lecture me about how OS releases generally work, called me "rude" (ironic), and locked the issue.
The ultimate point is that OPNsense delays security fixes. Maybe you think it's okay because you think some OS packages are critical and this one wasn't. Maybe you think if an OS can't articulate its security fixes release policy without getting combative, then it's hard to take its security seriously. The decision is yours.
The maintainers of OpnSense are able to make their own determination about the severity of the issue and the method of the fix. They gently reminded the user of their process. Ubiquiti, as a provider of a paid security product, has a much larger, immediate, and different responsibility to fix the issue and communicate clearly with their clients.
I think that everyone is entitled their own intentions, but they are also responsible to communicate those intentions effectively. If the intention was to not be "some Karen complaining" it wasn't clearly communicated that way.
First of all, the point is that the OS didn't release CVE fixes for the packages in its repositories even though it had already committed those fixes to version control. Notice that my comment specifically talks about "delay in security response", not that it was an "emergency".
>That user is completely unreasonable. Opnsense should refund their money (if any lol)
Second, I recommend reading the comment you respond to carefully before you rush to make an account to respond to it. "That user" is me. The GH thread has a clear comment from me that I did not pay them any money and do not have any expectation of support.
Third, notice that the point of the GH thread was me asking what their policy of releasing CVE fixes was. You seem to think I was some Karen complaining that they hadn't released the fix. All I asked was a confirmation that they're aware that they're shipping a package with a CVE, that they've already fixed the package but just not published it, and what their policy is for releasing fixes in general.
They could've responded with something like "We're aware of the CVE but we don't plan to release the fix in 23.1. Our policy is to only release bugfixes for non-critical packages in the next stable release, and we consider os-haproxy to be a non-critical package."
Instead they got weirdly defensive about it, tried to lecture me about how OS releases generally work, called me "rude" (ironic), and locked the issue.
The ultimate point is that OPNsense delays security fixes. Maybe you think it's okay because you think some OS packages are critical and this one wasn't. Maybe you think if an OS can't articulate its security fixes release policy without getting combative, then it's hard to take its security seriously. The decision is yours.