Final Request to Remediate Vulnerabilities in Pritunl VPN
We identified numerous vulnerabilities in the Pritunl VPN deployment. These issues have been flagged by our security scans and require prompt remediation to ensure system security and compliance.
Could you please review the findings on your side and provide a remediation plan and estimated timeline for resolving these vulnerabilities as soon as possible?
Thank you in advance for your cooperation.
There’s currently version conflicts due to the Oracle Cloud oci library this is preventing cryptography from being upgraded and several other packages. It appears Oracle is not going to move past cryptography v46 so it’s going to require rewriting code to replace the oci library usage. I have already gone through the details and usage of these libraries in Pritunl and the vulnerable components in these libraries is not used in Pritunl.
Even if some packages or parts of the code are not actually used, they still negatively affect our vulnerability score and currently make PritunlVPN appear as the most vulnerable application in our system. We kindly ask you to provide an ETA for fixing all identified vulnerabilities.
The problem is Oracle is not updating their requirements, it has been blocking the updates. I removed the oci library to allow the updates and this is in the repository now. I still need to test a reimplementation of the oci based code. This will be included in the next release in the next 1-2 weeks.
