Heartbleed and openssl 0.9.8y
There has been a pfsense update released (2.1.2) that says it fixes the heartbleed exploit
2.1 uses openssl 0.9.8y
[2.1-RELEASE]/root(1): openssl version OpenSSL 0.9.8y 5 Feb 2013
0.9.8 is not vulnerable to heartbleed, so why does the 2.1.2 update reference fixing it? Is there something I'm missing?
Do I need to upgrade even though I'm on this version of openssl?
Some people mentioned that 0.98 is what's in the base FreeBSD that PFSense 2.1 is based on, but they use ports for OpenSSL 1.0.1 and that's what most everything in PFSense 2.1.x uses…. I think.
Indeed there are multiple versions of openssl in the default pfSense image and more if you've added packages.
[2.1.2-RELEASE][firstname.lastname@example.org]/root(1): /usr/local/bin/openssl version OpenSSL 1.0.1g 7 Apr 2014
I had the same feeling about OpenVPN Access Server at work that we use. I built it using Ubuntu 10 which uses older OpenSSL binaries for the VPN but the Web GUI is based on OpenSSL 1.0.1 which is what is vulnerable. They recompiled the binaries and I was able to just drop two patched binaries in it's place then rebooted the server. Since that server is basic in function so it was easy to update.
In PfSense case I believe there are two versions of OpenSSL being used. Probably the same thing as the OpenVPN Access server. Since there are alot of packages and several pieces that are tied into the binaries they couldn't just update it easily. They had to recompile everything which took awhile and test it to make sure it works.
find / -name openssl
revealed a different openssl version in /usr/local/bin/openssl that was exploitable, so I did need to upgrade