Project

General

Profile

Bug #3585

CVE-2014-0160 - OpenSSL Heartbleed Bug

Added by Doktor Notor over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
Operating System
Target version:
Start date:
04/08/2014
Due date:
% Done:

0%

Estimated time:
Affected Version:
All
Affected Architecture:
All

Description

Marking as urgent, see http://heartbleed.com/

History

#1 Updated by Steve Thomas over 4 years ago

+1111111

#2 Updated by Nils Bernhardt over 4 years ago

PFsense 2.1 uses openssl 0.9.8y, which is NOT VULNERABLE.

#3 Updated by Nils Bernhardt over 4 years ago

OK, my fault: find / -type f -name 'openssl' -exec \{\} version \;

OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013

So we ARE VULNERABLE...

#4 Updated by Oliver Schonrock over 4 years ago

that's true only for the base system.

but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:

  1. /usr/local/bin/openssl version
    OpenSSL 1.0.1f 6 Jan 2014

This is vulnerable, and that make the web frontend vulnerable.

Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
CVE-2014-0076

So that needs patching as well.

#5 Updated by Frederic MEYER over 4 years ago

Unfortunately.
Check the https://redmine.pfsense.org/issues/3588 to watch the progress.

#6 Updated by Jim Pingle over 4 years ago

FYI- 2.1.2 images are being tested now. So far, so good.

As a reminder, this bug is for Heartbleed in the base system. For issues with packages, see #3588

#7 Updated by Chris Buechler over 4 years ago

  • Status changed from New to Resolved
  • Target version set to 2.1.2

fixed

Also available in: Atom PDF