Security Advisories
IAC-2026-0032026-01–29Multiple vulnerabilities in go
CVE-2025-61728: archive/zip: Potential DoS attack when unpacking a malicious archive.
CVE-2025-61726: net/http: Potential DoS attack due to memory exhaustion on malicious URLs.
CVE-2025-68121: crypto/tls: Potential bypass a check of the full TLS certificate chain.
CVE-2025-61730: crypto/tls: Potential minor information leakage during TLS handshake.
CVE-2025-61731, CVE-2025-68119: This vulnerabilities affect only the go toolchain.
Find all details on the Go Security Advisory
IAC-2026-0022026-01–29Multiple vulnerabilities in PHP
GHSA-8xr5-qppj-gvwj
NULL Pointer Dereference in PDO quoting - could lead to DoS attacks
GHSA-3237-qqm7-mfv7
Information Leak of Memory
GHSA-h96m-rvf9-jgm2
Heap buffer overflow in array_merge() - could lead to DoS attacks with crafted input
We recommend upgrading to the latest IACBOX version 24.2.0 to mitigate these vulnerabilities.
IAC-2026-0012026-01–09zlib / untgz vulnerability
The optional command line utility untgz has a critical vulnerability that allows an attacker to execute arbitrary code on the system. This vulnerability is due to a buffer overflow in the untgz utility.
The IACBOX is not affected, because untgz is not installed, only zlib is installed, which does not have this vulnerability.
IAC-2025-0082025-10–06go-lang security vulnerabilities
EUVD-2025-30195, CVE-2025-47906
If the PATH environment variable contains paths which are executables (rather than just directories),passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.EUVD-2025-23921, CVE-2025-47907
Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of thereturned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race conditionthat may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected resultsfrom the other query or an error.The go version was updated to 1.25.1 and all affected go binaries were recompiled.
IAC-2025-0072025-10–06openssl 3.1 End Of Life
The update to IACBOX 24.1.0 updates openssl to version 3.5.x which is the latest LTS version with updates till 2030.
IAC-2025-0062025-07–14Possible SQL injection via pgsql extension
Further Information
https://github.com/php/php-src/security/advisories/GHSA-hrwm-9436-5mv3
IAC-2025-0052025-07–02sudo Vulnerability
IAC-2025-0042025-05–22Vulnerability in PostgreSQL
Further Information
https://ubuntu.com/security/CVE-2025-1094
https://www.rapid7.com/blog/post/2025/02/13/cve-2025-1094-postgresql-psql-sql-injection-fixed/
IAC-2025-0032025-05–13Vulnerabilities in xz/liblzma
For all details please visit: https://tukaani.org/xz/threaded-decoder-early-free.html
IAC-2025-0022025-05–13Multiple vulnerabilities in openssl
- Fixed timing side-channel in ECDSA signature computation. (CVE-2024-13176)- Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic curve parameters. (CVE-2024-9143)
This bugs are not critical for the system and have a low severity.IAC-2025-0012025-01–16Multiple vulnerabilities in rsync
But the rsync client is also affected if connected to unknown servers that are maybe controlled by an attacker.
Which versions are affected?
All versions up to v21 are affected as they are using rsync. The impact is rated only as MEDIUM as an IACBOX is only connecting to Asteas controlled update servers, so there is no real attack surface, except for a possible local exploitation.
The rsync package is updated anyway to eliminate any possibly left over risk.
This issue is fixed with the current version 21.0-p21595.
Version 24 is not using rsync anymore, but as the binary is installed it get's updated to the latest rsync version 3.4.1 too.
The new rsync version is shipped with version 24.0.2, released on 22 Jan 2025.
For all details please visit: https://kb.cert.org/vuls/id/952657
IAC-2024-0082024-09–30CUPS vulnerability
IAC-2024-0072024-09–09Webserver source code disclosure (part 2)
This was only partially fixed with version 2.4.61 that has already been shipped with IACBOX version 21.0-p21566.
We have not been able to trigger this vulnerability anymore, but to be safe, we advise you to update to the latest version 21.0-p21573
IAC-2024-0062024-07–15Radius vulnerability
Who is affected?
Only systems with activated external authentication method Radius or iPass are affected as plain Radius (without EAP) is in use.
- Note that Radius can also be used as authentication method for WebAdmin logins which is also affected.
- Radius as part of 802.1x is not affected as EAP should always be in use there.
There's a possible MITM attack that can change a denied authentication into a successful authentication.
The attacker needs to craft a matching MD5-HMAC within the clients timeout, so this needs resources and time, so this is not easy to exploit.
Changes
- From now on Radius requests always have the Message-Authenticator attribute set
- There's a new Radius setting in WebAdmin under Login Methods -> External Authentication -> Radius: Force Message Authenticationwhich checks if a Radius response has the attribute Message-Authenticator.
This new option has to be switched on manually as it's maybe not backwards compatible with your Radius server that does not send this attribute.
Further Information
See the blastradius.fail page for more details
IAC-2024-0052024-07–15Multiple webserver vulnerabilities
As some of the vulnerabilities allow DoS attacks, all users are advised to update their systems to 21.0-p21566.
IAC-2024-0042024-07–03OpenSSH regreSSHion vulnerability
See all details in the Qualys report (regreSSHion)
Workaround for systems that can't be updated right now: Disable SSH access from all interfaces or add rules to your firewall so that SSH port (TCP/22) is not reachable.
IAC-2024-0032024-04–12Linux kernel vulnerability
UPDATE: Patchlevel update 21.0-p21543 replaces update 21.0-p21536 which provided a workaround for this issue.