CVE-2014-0160 - OpenSSL Heartbleed Bug
Marking as urgent, see http://heartbleed.com/
#4 Updated by Oliver Schonrock about 6 years ago
that's true only for the base system.
but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:
- /usr/local/bin/openssl version
OpenSSL 1.0.1f 6 Jan 2014
This is vulnerable, and that make the web frontend vulnerable.
Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);
So that needs patching as well.