pfSense

+1111111

PFsense 2.1 uses openssl 0.9.8y, which is NOT VULNERABLE.

OK, my fault: find / -type f -name 'openssl' -exec \{\} version \;

OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013

So we ARE VULNERABLE...

that's true only for the base system.

but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:

1. /usr/local/bin/openssl version
   OpenSSL 1.0.1f 6 Jan 2014

This is vulnerable, and that make the web frontend vulnerable.

Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
CVE-2014-0076

So that needs patching as well.

Unfortunately.
Check the https://redmine.pfsense.org/issues/3588 to watch the progress.

FYI- 2.1.2 images are being tested now. So far, so good.

As a reminder, this bug is for Heartbleed in the base system. For issues with packages, see #3588