OpenSSL lagging version



  • Hi

    Even if the NSA is able to easily read through VPNs and SSL according to Snowden, I would appreciate that OpenSSL always be updated to its latest version when a new pfSense build is made: https://www.openssl.org/

    Latest pfSense is still running the OLD 15-Jan-2015 OpenSSL 1.0.1L !

    Thanks



  • I just read through the CVEs since Jan.15 and there only seemed to be a few DoS situations that apply to us. Some of those situations are negated by properly configuring OpenSSL.

    I (ignorantly) vote for updating as well, but it is not an immediate concern, imo.

    We are all already infected anyway. :-[



  • Infected?



  • @kejianshi:

    Infected?

    Digitally infected. Were you thinking of something else?  :-X

    I prefer to assume that I am always "infected" (hacked, trojaned, backdoored, rooted, whatever).



  • Being backdoored sucks…  Sorry.  (-:

    OK - So you are just making an assumption then.  Cool.



  • @kejianshi:

    Being backdoored sucks…  Sorry.  (-:

    Zing! :D

    OK - So you are just making an assumption then.  Cool.

    Yeah, just an assumption. Well… unless you run Windows. ;)


  • Rebel Alliance Developer Netgate

    The last round of CVEs were all fairly minor as they pertain to pfSense. The worst thing are some potential DoS situations with bad certs (OpenVPN, perhaps, but even then an attacker would need a proper TLS key… you are using TLS keys, right?)

    The later OpenSSL will likely come in 2.2.2, whenever that lands.



  • Ok I've just upgraded to this new release : 2.2.2-RELEASE (amd64)
    built on Mon Apr 13 20:10:22 CDT 2015 - FreeBSD 10.1-RELEASE-p9

    and guess what?  STILL the OLD OPENSSL

    WHEN WILL PFSENSE TAKE SECURITY SERIOUSLY?

    https://www.openssl.org/ log file shows many HIGH SEVERITY security holes since JANUARY 2015!

    The NSA bast**** are spying on us, why do you ease their job? Do they give you any "directive"?


  • Rebel Alliance Developer Netgate

    FreeBSD patches OpenSSL without increasing the OpenSSL version ID. The same as they always have.

    We have the patches included, don't trust the version number alone.

    https://www.freebsd.org/security/advisories/FreeBSD-SA-15:06.openssl.asc



  • openvpn: library versions: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09
    openvpn: OpenVPN 2.3.6 amd64-portbld-freebsd10.1 [SSL (OpenSSL)] [LZO] [MH] [IPv6] built on Apr 8 2015


  • Rebel Alliance Developer Netgate

    As I mentioned before, the patches are there but the version number remains the same, which includes that date. It's not a compile date, but a static date tied to the version identifier. That's just how FreeBSD updates OpenSSL in a security release to minimize changes. So long as the FreeBSD version in "uname -a" shows 10.1-RELEASE-p8 or later, as shown in the SA, it's correct.



  • I've just updated to 2.2.3 and guess what:

    pfSense is still using the old library version: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09

    There has been MANY security fixes since the 15th of january 2015:
    https://www.openssl.org/news/

    It's hard to believe that you're not helping these fu**ing NSA guys/spies.
    The patches to get 1.0.2c haven't been applied.

    Can someone demonstrate that the current OpenSSL implemented in pfSense 2.2.3 is indeed the old 1.0.1l ?
    Thanks

    "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
    Edward Snowden

    "Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer."
    Glenn Greenwald in Why privacy matters - TED Talk

    Latest news, censored by US media, shame on us:http://laht.com/article.asp?CategoryId=12395&ArticleId=2390963


  • Rebel Alliance Developer Netgate

    FreeBSD patches OpenSSL without changing the version number.

    https://www.freebsd.org/security/advisories/FreeBSD-SA-15%3A10.openssl.asc

    From there:

    2015-06-12 07:23:55 UTC (releng/10.1, 10.1-RELEASE-p12)

    From 2.2.3:

    : uname -r
    10.1-RELEASE-p13
    

    -p13 > -p12, therefore we have the patches.

    Stop only looking at version numbers. They don't mean as much as you think they mean.



  • @dplat:

    I've just updated to 2.2.3 and guess what:

    pfSense is still using the old library version: OpenSSL 1.0.1l-freebsd 15 Jan 2015, LZO 2.09

    There has been MANY security fixes since the 15th of january 2015:
    https://www.openssl.org/news/

    It's hard to believe that you're not helping these fu**ing NSA guys/spies.
    The patches to get 1.0.2c haven't been applied.

    Can someone demonstrate that the current OpenSSL implemented in pfSense 2.2.3 is indeed the old 1.0.1l ?
    Thanks

    "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
    Edward Snowden

    "Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer."
    Glenn Greenwald in Why privacy matters - TED Talk

    Latest news, censored by US media, shame on us:http://laht.com/article.asp?CategoryId=12395&ArticleId=2390963

    You may want to actually read what John is saying about the manner in which FreeBSD patches things in a security release.  Really it's not that hard to understand.



  • @jimp:

    Stop only looking at version numbers. They don't mean as much as you think they mean.

    Ok thanks

    @mer:

    You may want to actually read what John is saying about the manner in which FreeBSD patches things in a security release.  Really it's not that hard to understand.

    Alright, thanks


Log in to reply