Is the Squid package affected by the current OpenSSL vulnerability (CVE-2022-3602/CVE-2022-3786)

mr_snow

Hello,

I'm aware of this post which says that pfSense in general is not vulnerable.

But what about the included Squid package? Unfortunately, I lack the understanding of the underlying software stack to analyze the problem on my own. On other systems like Ubuntu, Squid seems vulnerable (source).

Best regards,
mr_snow

Edit: Or is it enough to ssh on the pfSense and check the OpenSSL version?
[2.6.0-RELEASE][admin@pfsense.***]/root: openssl version
OpenSSL 1.1.1l-freebsd 24 Aug 2021

jimp

Packages* wouldn't matter for that, only the version of OpenSSL in the base system.

We deliberately do not link packages against anything other than the base version of OpenSSL. We tried having a newer OpenSSL from ports around and it only made things more difficult to manage and keep straight.

* Packages we build on pfSense anyhow. There might be something out there on third party servers that bundles OpenSSL we're unaware of (e.g. a web browser) but not something in the package servers run by Netgate/used by pfSense.

mr_snow

@jimp Perfect, thanks for the explaination :)