Heartbleed and openssl 0.9.8y



  • There has been a pfsense update released (2.1.2) that says it fixes the heartbleed exploit
    https://blog.pfsense.org/?p=1253

    2.1 uses openssl 0.9.8y

    
    [2.1-RELEASE]/root(1): openssl version
    OpenSSL 0.9.8y 5 Feb 2013
    

    0.9.8 is not vulnerable to heartbleed, so why does the 2.1.2 update reference fixing it? Is there something I'm missing?

    Do I need to upgrade even though I'm on this version of openssl?

    Thanks!



  • Some people mentioned that 0.98 is what's in the base FreeBSD that PFSense 2.1 is based on, but they use ports for OpenSSL 1.0.1 and that's what most everything in PFSense 2.1.x uses…. I think.


  • Netgate Administrator

    Indeed there are multiple versions of openssl in the default pfSense image and more if you've added packages.
    Specifically:

    [2.1.2-RELEASE][root@pfsense.fire.box]/root(1): /usr/local/bin/openssl version
    OpenSSL 1.0.1g 7 Apr 2014
    
    

    Steve



  • I had the same feeling about OpenVPN Access Server at work that we use.  I built it using Ubuntu 10 which uses older OpenSSL binaries for the VPN but the Web GUI is based on OpenSSL 1.0.1 which is what is vulnerable.  They recompiled the binaries and I was able to just drop two patched binaries in it's place then rebooted the server.  Since that server is basic in function so it was easy to update.

    In PfSense case I believe there are two versions of OpenSSL being used.  Probably the same thing as the OpenVPN Access server.  Since there are alot of packages and several pieces that are tied into the binaries they couldn't just update it easily.  They had to recompile everything which took awhile and test it to make sure it works.



  • doing:

    find / -name openssl 
    

    revealed a different openssl version in /usr/local/bin/openssl that was exploitable, so I did need to upgrade


Log in to reply