I have a question about the recent modifications to the Security page. This may lead to an issue on Gitlab, but I want to make sure I understand the thought process to the modifications before I open an issue.
I believe that there is a discrepancy between two things on the security page:
1. The text in the “Status” menu reports that there there are "0 reported security vulnerabilities"
2. The text in the table shows that there there are a few non-zero values for security vulnerabilities
If a user clicks on the “show security vulnerabilities” button, they will see a small number of vulnerabilities and probably get confused about the statement at the top of the page.
Why does the top report 0 vulnerabilities if there are indeed a few vulnerabilities? Is it because the top is actually reporting critical vulnerabilities while the table reports all vulnerabilities? Or is it because the top only reports vulnerabilities for the FreedomBox interface while the table reports vulnerabilities for the apps? Either way, I believe that the current phrasing is a little confusing, and we could fix this issue by simply rephrasing a couple sentences.
I’m wondering the same thing and through searching found this post. My security report. On my newly installed FreedomBox 20.12.1 the Security Report first shows there is 1 reported vulnerability, and lists one or more current vulnerabilities in 8 Apps including apache, cockpit, ssh.
As a new user this concerns me that maybe i’m now hosting vulnerable/exploitable services (accessible from the internet when I enabled pagekite) on a device on my home network. Is there documents somewhere on how to interpret the report?
Rereading both, the web interface and the Security wiki/help page, I guess the sentence might perhaps refer to FreedomBox (as the web interface umbrella application itself, the freedombox Debian package), considered as a distinct package from the managed application-packages. (?)
But in any case the WUI should be clear for non-techies, so whenever it isn’t, it makes for a valid issue. Please, propose clearer wordings.
You are running Debian GNU/Linux 10 (buster) and FreedomBox version 21.2. FreedomBox is up to date.
Now the Security reports shows 0 although the table shows multiple apps with current vulnerabilities. There are two questions I see.
Why does the top number seem to disagree with the table below? My understanding is top number is the FreedomBox Web App package, and below table shows the other packages installed by FreedomBox.
Should the user be concerned if they have vulerabilities? Are these exploitable? Can they compromise the entire device? Does an attacker need to first have an account, or can anyone attack these vulerabilities?
As a non-expert new user to this project those were my first questions. I’d be happy to take a pass at writing documentation to explain this once I understand myself the intent of this page.
Yes, that’s correct. The top number refers to only the freedombox package itself.
It depends. You can check individual packages on https://security-tracker.debian.org. Note that the “apps” listed here include all the packages pulled in by those apps.
