VyOS 1.2.6-S1 security release
Posted 28 Sep, 2020 by Daniil Baturin
VyOS 1.2.6 release was found to be suspectible to CVE-2020-10995. It's a low-impact vulnerability in the PowerDNS recursor that allows an attacker to cause performance degradation via a specially crafted authoritative DNS server reply.
And we provide fix for in in 1.2.6-s1 release
That vulnerability doesn't allow attackers to gain any privileges or even crash the PowerDNS recursor process, so the risk for users is very low. We decided to make a security release nonetheless, so that anyone concerned can update and have it resolved.
This release also fixes an accidental incompatibility in the syslog configuration syntax (see T2899).
Release images are available to every subscriber through the support portal. We haven't published official cloud images yet, so our official Amazon, Azure, and GCE images will be 1.2.6-S1 right away, and you will not need to update them manually.
Automated vulnerability checker
Since VyOS is comprised of multiple packages, keeping track of vulnerabilities can be a hard problem and automating it clearly would help. Thanks to the efforts of Anatoliy Rodik, there's now a prototype of an automated checker. Since live-build creates a list of packages included in the image at build time, we are planning to integrate that tool into our build process in the future.
It can use either free CVE databases or a paid Vulners database. The latter is more accurate so we got a subscription, but there will always be an option to use free databases so that as many people as possible can do an independent check.