Project

General

Profile

Bug #3585

CVE-2014-0160 - OpenSSL Heartbleed Bug

Added by Doktor Notor about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
Operating System
Target version:
Start date:
04/08/2014
Due date:
% Done:

0%

Affected Version:
All
Affected Architecture:
All

Description

Marking as urgent, see http://heartbleed.com/

History

#1 Updated by Steve Thomas about 4 years ago

+1111111

#2 Updated by Nils Bernhardt about 4 years ago

PFsense 2.1 uses openssl 0.9.8y, which is NOT VULNERABLE.

#3 Updated by Nils Bernhardt about 4 years ago

OK, my fault: find / -type f -name 'openssl' -exec \{\} version \;

OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013

So we ARE VULNERABLE...

#4 Updated by Oliver Schonrock about 4 years ago

that's true only for the base system.

but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:

  1. /usr/local/bin/openssl version
    OpenSSL 1.0.1f 6 Jan 2014

This is vulnerable, and that make the web frontend vulnerable.

Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
CVE-2014-0076

So that needs patching as well.

#5 Updated by Frederic MEYER about 4 years ago

Unfortunately.
Check the https://redmine.pfsense.org/issues/3588 to watch the progress.

#6 Updated by Jim Pingle about 4 years ago

FYI- 2.1.2 images are being tested now. So far, so good.

As a reminder, this bug is for Heartbleed in the base system. For issues with packages, see #3588

#7 Updated by Chris Buechler about 4 years ago

  • Status changed from New to Resolved
  • Target version set to 2.1.2

fixed

Also available in: Atom PDF