More OpenSSL vulnerabilities
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Hi jimp,
I run an OpenVPN client from my pfsense box. In the meantime is it possible to update OpenSSL to 0.9.8za without adversely affecting the base system?
Cheers,
-
Previous advice immediately after Heartbleed broke was not to do that, there's a good chance you'll break something.
@cmb:Don't try to patch or upgrade OpenSSL, you'll more than likely just break things. Each PBI has its own copy, plus the base system.
Steve
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
It seems that OpenSSL in 2.0.x is also vulnerable to this bug. Is there then also a 2.0.4 security update available?
Bests
-
It's not Heartbleed by a long shot.
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
It seems that OpenSSL in 2.0.x is also vulnerable to this bug. Is there then also a 2.0.4 security update available?
Bests
I wouldn't hold my breath, the 2.0.x versions are marked as "deprecated" on the release information page. There was nothing done on them to fix the heartbleed vulnerability as far as I know.
-
No, there will not be a 2.0.x release, that line is no longer supported.
Don't replace the OpenSSL in base yourself.
-
@kpa:
There was nothing done on them to fix the heartbleed vulnerability as far as I know.
The 2.0.X versions were not vulnerable to Heartbleed, but they may be vulnerable to whole host of other things.ย ;)
Steve
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Any idea when we can expect to see 2.1.4 release?
Cheers,
-
There will be a 2.1.4 coming, but we're not rushing it out like we did with Heartbleed. ETA mid next-week.
Any idea when we can expect to see 2.1.4 release?
Cheers,
"ETA mid next-week."?
-
"ETA mid next-week."?
Just asking as that was last week, in the meantime I still can't use OpenVPN because of the vuln.
-
Hit a couple snags but it's still coming soon.
You can use OpenVPN if you use a TLS auth key. Also if you update your clients, it's fine. Please read all of the text I quoted earlier in the thread.