Home
Projects
Help

Search:

pfSense

All Projects

pfSense

Overview
Activity
Roadmap
Issues
Gantt
Calendar
News
Documents
Repository

Custom queries

2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Target - All Closed Issues
25.03 Plus - All Closed Issues
25.03 Plus - All Open Issues
25.03 Plus - Feedback Issues
25.03 Plus - Needs Attention/Work
25.03 Plus - New/Confirmed/In Progress Issues
25.03 Plus - Pull Request Review
25.03 Plus - Waiting on Merge
25.03 Target - All Closed Issues
25.03 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - CE Target Version (DO NOT EDIT)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #3585

closed

CVE-2014-0160 - OpenSSL Heartbleed Bug

Added by Doktor Notor about 11 years ago. Updated about 11 years ago.

Status:

Resolved

Priority:

Urgent

Assignee:

Category:

Operating System

Target version:

2.1.2

Start date:

04/08/2014

Due date:

% Done:

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

Marking as urgent, see http://heartbleed.com/

History
Notes
Property changes

Actions

Copy link

Updated by Steve Thomas about 11 years ago

+1111111

Actions

Copy link

Updated by Nils Bernhardt about 11 years ago

PFsense 2.1 uses openssl 0.9.8y, which is NOT VULNERABLE.

Actions

Copy link

Updated by Nils Bernhardt about 11 years ago

OK, my fault: find / -type f -name 'openssl' -exec \{\} version \;

OpenSSL 1.0.1e 11 Feb 2013
OpenSSL 0.9.8y 5 Feb 2013

So we ARE VULNERABLE...

Actions

Copy link

Updated by Oliver Schonrock about 11 years ago

that's true only for the base system.

but several packages including lighttpd for the webfrontend use /usr/local/bin/openssl (ie openssl from ports /usr/ports/security/openssl) which, pfsense 2.1.1 is:

/usr/local/bin/openssl version
OpenSSL 1.0.1f 6 Jan 2014

This is vulnerable, and that make the web frontend vulnerable.

Also if you read the FreeBSD secruity advisories from today, there is one that is applicable to the base system openssl (not heartbleed, but different);

http://www.freebsd.org/security/advisories/FreeBSD-SA-14:06.openssl.asc
CVE-2014-0076

So that needs patching as well.

Actions

Copy link