Project

General

Profile

Actions

Bug #3585

closed

CVE-2014-0160 - OpenSSL Heartbleed Bug

Added by Doktor Notor over 10 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Urgent
Assignee:
-
Category:
Operating System
Target version:
Start date:
04/08/2014
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

Marking as urgent, see http://heartbleed.com/

Actions #1

Updated by Steve Thomas over 10 years ago

+1111111

Actions #2

Updated by Nils Bernhardt over 10 years ago

PFsense 2.1 uses openssl 0.9.8y, which is NOT VULNERABLE.

Actions #3

Updated by Nils Bernhardt over 10 years ago

OK, my fault: find / -type f -name 'openssl' -exec \{\} version \;

OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013

So we ARE VULNERABLE...

Actions #4

Updated by Oliver Schonrock over 10 years ago

that's true only for the base system.

but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:

  1. /usr/local/bin/openssl version
    OpenSSL 1.0.1f 6 Jan 2014

This is vulnerable, and that make the web frontend vulnerable.

Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
CVE-2014-0076

So that needs patching as well.

Actions #5

Updated by Frederic MEYER over 10 years ago

Unfortunately.
Check the https://redmine.pfsense.org/issues/3588 to watch the progress.

Actions #6

Updated by Jim Pingle over 10 years ago

FYI- 2.1.2 images are being tested now. So far, so good.

As a reminder, this bug is for Heartbleed in the base system. For issues with packages, see #3588

Actions #7

Updated by Chris Buechler over 10 years ago

  • Status changed from New to Resolved
  • Target version set to 2.1.2

fixed

Actions

Also available in: Atom PDF