> I believe pfSense users are only affected by the secondary flaw, and also any > software in pfSense using the /usr/local/... version of OpenSSL, as mentioned > by Vick Khera earlier.
Both SAs affect pfSense 2.1 and 2.1.1. Heartbleed is an issue because OpenSSL version 1.0.1f is used for software that is not part of FreeBSD 8.3-RELEASE (i.e. things found in /usr/local) in addition to the version without the Heartbleed issue, which is part of FreeBSD 8.3-RELEASE Both issues are being corrected via pending release of pfSense 2.1.2, as well as a near future rev for the pfSense 2.2 snapshots. -- Jim > On Apr 8, 2014, at 21:05, Paul Mather <[email protected]> wrote: > >> On Apr 8, 2014, at 9:35 PM, Paul Mather <[email protected]> wrote: >> >>> On Apr 8, 2014, at 3:04 PM, Jim Thompson <[email protected]> wrote: >>> >>> >>> Well, that’s the point, Paul. (You hit the nail on the head.) >>> >>> If you don’t have an openssl service exposed, the problem doesn’t affect >>> you. >>> >>> Since normally the web GUI isn’t exposed to the WAN, the attack surface is >>> minimised. >> >> The FreeBSD Security Advisory FreeBSD-SA-14:06.openssl states this in the >> Impact section: >> >> ===== >> III. Impact >> >> An attacker who can send a specifically crafted packet to TLS server or >> client >> with an established connection can reveal up to 64k of memory of the remote >> system. Such memory might contain sensitive information, including key >> material, protected content, etc. which could be directly useful, or might >> be leveraged to obtain elevated privileges. [CVE-2014-0160] >> >> A local attacker might be able to snoop a signing process and might recover >> the signing key from it. [CVE-2014-0076] >> ===== >> >> I take that to read the vulnerability being exploitable both ways, i.e., a >> malicious server could also attack a vulnerable client connecting to it via >> SSL/TLS, making the attack surface potentially much larger. >> >> FWIW, the pre-advisory "heads-up" message from the FreeBSD Security Officer >> appears to back this up. It included the following advice: >> >> ===== >> Users who use TLS client and/or server are strongly advised to apply >> updates immediately. >> >> Because of the nature of this issue, it's also recommended for system >> administrators to consider revoking all of server certificate, client >> certificate and keys that is used with these systems and invalidate >> active authentication credentials with a forced passphrase change. >> ===== > > Just as an followup and clarification to the above, the recent OpenSSL > vulnerability Security Advisory actually covers two OpenSSL flaws. The > "heartbleed" flaw only affects FreeBSD 10 in the base OS. All other > supported FreeBSD releases are affected by the other flaw they describe (in > the ECDSA Montgomery Ladder Approach implementation). > > I believe pfSense users are only affected by the secondary flaw, and also any > software in pfSense using the /usr/local/... version of OpenSSL, as mentioned > by Vick Khera earlier. > > Kudos to the pfSense team for beavering away and cranking out a fix! > > Cheers, > > Paul. > > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
