Bug #3585
closed
CVE-2014-0160 - OpenSSL Heartbleed Bug
0%
Updated by
Updated by Nils Bernhardt over 10 years ago
PFsense 2.1 uses openssl 0.9.8y, which is NOT VULNERABLE.
Updated by Nils Bernhardt over 10 years ago
OK, my fault: find / -type f -name 'openssl' -exec \{\} version \;
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013
So we ARE VULNERABLE...
Updated by Oliver Schonrock over 10 years ago
that's true only for the base system.
but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:
- /usr/local/bin/openssl version
OpenSSL 1.0.1f 6 Jan 2014
This is vulnerable, and that make the web frontend vulnerable.
Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);
http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
CVE-2014-0076
So that needs patching as well.
Updated by Frederic MEYER over 10 years ago
Unfortunately.
Check the https://redmine.pfsense.org/issues/3588 to watch the progress.
Updated by Jim Pingle over 10 years ago
FYI- 2.1.2 images are being tested now. So far, so good.
As a reminder, this bug is for Heartbleed in the base system. For issues with packages, see #3588
Updated by Chris Buechler over 10 years ago
- Status changed from New to Resolved
- Target version set to 2.1.2
fixed