OpenSSL lagging version
-
Infected?
Digitally infected. Were you thinking of something else? :-X
I prefer to assume that I am always "infected" (hacked, trojaned, backdoored, rooted, whatever).
-
Being backdoored sucks… Sorry. (-:
OK - So you are just making an assumption then. Cool.
-
Being backdoored sucks… Sorry. (-:
Zing! :D
OK - So you are just making an assumption then. Cool.
Yeah, just an assumption. Well… unless you run Windows. ;)
-
The last round of CVEs were all fairly minor as they pertain to pfSense. The worst thing are some potential DoS situations with bad certs (OpenVPN, perhaps, but even then an attacker would need a proper TLS key… you are using TLS keys, right?)
The later OpenSSL will likely come in 2.2.2, whenever that lands.
-
Ok I've just upgraded to this new release : 2.2.2-RELEASE (amd64)
built on Mon Apr 13 20:10:22 CDT 2015 - FreeBSD 10.1-RELEASE-p9and guess what? STILL the OLD OPENSSL
WHEN WILL PFSENSE TAKE SECURITY SERIOUSLY?
https://www.openssl.org/ log file shows many HIGH SEVERITY security holes since JANUARY 2015!
The NSA bast**** are spying on us, why do you ease their job? Do they give you any "directive"?
-
FreeBSD patches OpenSSL without increasing the OpenSSL version ID. The same as they always have.
We have the patches included, don't trust the version number alone.
https://www.freebsd.org/security/advisories/FreeBSD-SA-15:06.openssl.asc
-
openvpn: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
openvpn: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015 -
As I mentioned before, the patches are there but the version number remains the same, which includes that date. It's not a compile date, but a static date tied to the version identifier. That's just how FreeBSD updates OpenSSL in a security release to minimize changes. So long as the FreeBSD version in "uname -a" shows 10.1-RELEASE-p8 or later, as shown in the SA, it's correct.
-
I've just updated to 2.2.3 and guess what:
pfSense is still using the old library version: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
There has been MANY security fixes since the 15th of january 2015:
https://www.openssl.org/news/It's hard to believe that you're not helping these fu**ing NSA guys/spies.
The patches to get 1.0.2c haven't been applied.Can someone demonstrate that the current OpenSSL implemented in pfSense 2.2.3 is indeed the old 1.0.1l ?
Thanks"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
Edward Snowden"Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer."
Glenn Greenwald in Why privacy matters - TED TalkLatest news, censored by US media, shame on us:http://laht.com/article.asp?CategoryId=12395&ArticleId=2390963
-
FreeBSD patches OpenSSL without changing the version number.
https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A10.openssl.asc
From there:
2015-06-12 07:23:55 UTC (releng/10.1, 10.1-RELEASE-p12)
From 2.2.3:
: uname -r 10.1-RELEASE-p13-p13 > -p12, therefore we have the patches.
Stop only looking at version numbers. They don't mean as much as you think they mean.
-
I've just updated to 2.2.3 and guess what:
pfSense is still using the old library version: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
There has been MANY security fixes since the 15th of january 2015:
https://www.openssl.org/news/It's hard to believe that you're not helping these fu**ing NSA guys/spies.
The patches to get 1.0.2c haven't been applied.Can someone demonstrate that the current OpenSSL implemented in pfSense 2.2.3 is indeed the old 1.0.1l ?
Thanks"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
Edward Snowden"Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer."
Glenn Greenwald in Why privacy matters - TED TalkLatest news, censored by US media, shame on us:http://laht.com/article.asp?CategoryId=12395&ArticleId=2390963
You may want to actually read what John is saying about the manner in which FreeBSD patches things in a security release. Really it's not that hard to understand.
-
