Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    openssl CVE-2021-3449 & CVE-2021-3450

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 1.2k Views 5 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimpJ Offline
      jimp Rebel Alliance Developer Netgate
      last edited by

      The updated version has already been incorporated into the RC snapshots for pfSense Plus 21.02.2 and pfSense CE 2.5.1.

      https://redmine.pfsense.org/issues/11755

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      A 1 Reply Last reply Reply Quote 3
      • A Offline
        apollo13 @jimp
        last edited by

        @jimp Thanks. May I ask how serious a vulnerability has to be that netgate will issue an immediate release? The current openssl issue apparently wasn't critical enough (?) so I am wondering what the bar is.

        1 Reply Last reply Reply Quote 0
        • jimpJ Offline
          jimp Rebel Alliance Developer Netgate
          last edited by

          We are already in the process of releasing pfSense Plus 21.02.2 and pfSense CE 2.5.1 for other reasons, and this will be included there. It will be out soon (days/weeks at most).

          I don't know that I'd consider a DoS like that CVE severe enough to warrant rushing it out faster than we'd already planned, but it's important enough that we included it in this coming release when otherwise we might not have updated a component at that level this far along in the process.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          A 1 Reply Last reply Reply Quote 3
          • A Offline
            apollo13 @jimp
            last edited by

            Mhm interesting; so assuming someone considers a DoS more severe (ie it is actually exploited at their site) -- how would one go ahead to fix this in their release now? Using RCs is not an option because for other issues, those might not exist yet.

            Are there any guidelines on how to handle those things? Does Netgate have something like https://access.redhat.com/security/ where security issues are listed and their impact (as well as planned solutions/workarounds) is evaluated?

            GertjanG 1 Reply Last reply Reply Quote 0
            • jimpJ Offline
              jimp Rebel Alliance Developer Netgate
              last edited by

              There isn't a way to fix it on pfSense without waiting for an update.

              If it's critical, someone could move HAProxy to a different system (off the firewall) which has an updated OpenSSL.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • GertjanG Offline
                Gertjan @apollo13
                last edited by Gertjan

                @apollo13 said in openssl CVE-2021-3449 & CVE-2021-3450:

                Does Netgate have something like https://access.redhat.com/security/

                "redhat"= a 13k employees company - this probably includes the ones opening the front door.

                Netgate / Rubicon Communications LLC : unknown on wiki.org ( ? ) so I guess a couple or a small dozen of persons, a coffee machine and a dog.

                So, true, I didn't really 'fact check', but I tend to say "No". after a 60 seconds investigation.
                pfSense is a project based on the FreeBSD kernel/OS. They they have a https://www.freebsd.org/security/ - up to pfSense to sync whenever they can.

                Take note : I'm a user like you (with a browser and search engine), so the reality is probably different (Powels ©™).

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                A 1 Reply Last reply Reply Quote 0
                • A Offline
                  apollo13 @Gertjan
                  last edited by

                  Hi @gertjan,

                  I mainly linked the redhat example because I did know how to describe such a thing in words. I am fully aware that Netgate doesn't have the manpower like redhat, but there could have been a list of fixed vulns or so that I am not aware of.

                  That said I think it is important for users to understand how Netgate handles security issues like this one and what the expectations can be. Currently it sounds (?) like the fix will come soonish because another release is already on the way. Whether that is acceptable for everyone or not is up for them to decide -- hence my question about possible workarounds and more insight into the security process.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    For FreeBSD issues (such as OpenSSL), you can refer to the FreeBSD site for info. They have a section on security and errata.

                    For pfSense issues, we publish security advisories for problems in pfSense code.

                    The release notes for each release generally have a listing of relevant security fixes from both contexts, though we don't always enumerate every FreeBSD SA fixed since there can be a lot of them and it's easy to check based on the version of FreeBSD in a given pfSense release.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    A 1 Reply Last reply Reply Quote 0
                    • A Offline
                      apollo13 @jimp
                      last edited by

                      @jimp Thank you, that is helpful.

                      Out of curiosity (I do not know enough about the pkg management in FreeBSD itself): Wouldn't there be a possibility to publish just a fixed openssl package that can be updated via pkg upgrade or similar? On a first glance this seems easier (especially if the patch is small and doesn't touch ABI) than issuing a full new pfSense release. Note that I am not suggesting to do that for every package, but maybe just for security issues that might be annoying enough for some people but still don't trigger a fast release… Or even if it is just a package file somewhere that has to be downloaded manually and installed (as far as I understood it is generally not possible to just take the freebsd packages, or am I wrong here).

                      Thank you for your patience and explanations -- I promise the above questions are the last ones on that topic :)

                      Cheers,
                      Florian

                      1 Reply Last reply Reply Quote 0
                      • jimpJ Offline
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        OpenSSL is a part of the base operating system and not a separate package, so it cannot be updated on its own.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.