More OpenSSL vulnerabilities
-
@Gio:
Wonder if the pfSense team is working on a new release with openssl 1.0.1h version?
They have, it's already released. Clearly the result of a code audit after Heartbleed.
-
@ingenieurmt:
@Gio:
Wonder if the pfSense team is working on a new release with openssl 1.0.1h version?
They have, it's already released. Clearly the result of a code audit after Heartbleed.
Really? It hasn't been announced or uploaded to any of the mirrors.
-
This is not the same vulnerability we're talking about here. 2.1.2 updated OpenSSL to 1.0.1g to fix heartbleed. This new vulnerability seems to necessitate a further update.
Steve
-
Sorry, misread the question. I thought it was asking if another OpenSSL release was coming.
Is the pfSense team working on a new build with the updated OpenSSL release? Almost certainly.
-
This one is not an easily exploitable bug like heartbleed. While it should be fixed, it does not require the kind of immediate response that heartbleed did.
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Here is a snippet from the security announcement we're still drafting:
OpenSSL accepts ChangeCipherSpec (CCS) inappropriately during a handshake which
permits a Man-in-the-Middle attack leading to possible data disclosure by
enabling decryption of SSL traffic[2][3]. The attack requires several conditions
to be met, which drastically reduce its potential for exploitation. The required
criteria for exploitation are:- A vulnerable server, such as the pfSense GUI or OpenVPN server.
- A vulnerable client, such as a browser or OpenVPN client.
- A position of power between the client and server where packets may be
intercepted and inserted. (e.g. untrusted wifi hotspot)
Further reducing the potential for exploitation are the following mitigating
factors:- Most browsers are not vulnerable as they do not use OpenSSL (Chrome for Android
being a notable exception[4].) - OpenVPN is only vulnerable in SSL/TLS mode WITHOUT a TLS Authentication key.
In short: In the meantime, make sure your OpenVPN clients get updated (we already updated the export package with new Windows binaries, 2.3.4-I002) and it's not much of an issue. If your OpenVPN SSL/TLS servers already use a TLS auth key, you have little to worry about.
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Hi jimp,
I run an OpenVPN client from my pfsense box. In the meantime is it possible to update OpenSSL to 0.9.8za without adversely affecting the base system?
Cheers,
-
Previous advice immediately after Heartbleed broke was not to do that, there's a good chance you'll break something.
@cmb:Don't try to patch or upgrade OpenSSL, you'll more than likely just break things. Each PBI has its own copy, plus the base system.
Steve
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
It seems that OpenSSL in 2.0.x is also vulnerable to this bug. Is there then also a 2.0.4 security update available?
Bests
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
It seems that OpenSSL in 2.0.x is also vulnerable to this bug. Is there then also a 2.0.4 security update available?
Bests
I wouldn't hold my breath, the 2.0.x versions are marked as "deprecated" on the release information page. There was nothing done on them to fix the heartbleed vulnerability as far as I know.
-
No, there will not be a 2.0.x release, that line is no longer supported.
Don't replace the OpenSSL in base yourself.
-
@kpa:
There was nothing done on them to fix the heartbleed vulnerability as far as I know.
The 2.0.X versions were not vulnerable to Heartbleed, but they may be vulnerable to whole host of other things. ;)
Steve
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Any idea when we can expect to see 2.1.4 release?
Cheers,
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Any idea when we can expect to see 2.1.4 release?
Cheers,
"ETA mid next-week."?
-
"ETA mid next-week."?
Just asking as that was last week, in the meantime I still can't use OpenVPN because of the vuln.
-
Hit a couple snags but it's still coming soon.
You can use OpenVPN if you use a TLS auth key. Also if you update your clients, it's fine. Please read all of the text I quoted earlier in the thread.