@yuxin.zou i don’t see in release notes fix for tunnel vision:
- Other enhancements
Critical Security Updates
This firmware release fixed a vulnerability tracked as CVE-2023-46456 with a CVSS Score of 9.8. It was possible to inject arbitrary shell commands through the OpenVPN client file upload functionality. CVE-2023-46454 with a CVSS Score of 9.8 was also fixed. It was possible to inject arbitrary shell commands through a crafted package name.
Additionally, this release patched a vulnerability tracked as CVE-2023-46455 with a CVSS Score of 7.5, which could create the possibility of writing arbitrary files through a path traversal attack in the OpenVPN client file upload functionality.
We also fixed CVE-2023-50919 which allowed an NGINX authentication bypass via Lua string pattern matching, and fixed CVE-2023-50920 which potentially allowed the sharing of session identifiers between different sessions and bypassing authentication or accessing control measures.
Will this be fixed?