pfSense Gold Subscription

Author Topic: Recent OpenSSL vulnerability  (Read 2195 times)

0 Members and 1 Guest are viewing this topic.

Offline fatsailor

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Recent OpenSSL vulnerability
« on: April 19, 2012, 10:05:24 am »
Does anyone know if CVE-2012-2110 is a problem for us?

http://lists.grok.org.uk/pipermail/full-disclosure/2012-April/086585.html

It involves Integer overflows in certificate parsing so I presume it does......

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14976
  • Karma: +4/-0
    • View Profile
Re: Recent OpenSSL vulnerability
« Reply #1 on: April 19, 2012, 01:03:05 pm »
From what I've heard, OpenVPN is vulnerable to that. If that turns out to be true, we'll probably roll out a 2.0.2 in the very near future.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14976
  • Karma: +4/-0
    • View Profile
Re: Recent OpenSSL vulnerability
« Reply #2 on: May 03, 2012, 11:38:04 am »
FreeBSD finally issued their own SA for OpenSSL... which is a bit scarier than the ones I'd read before:

http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline wm408

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Recent OpenSSL vulnerability
« Reply #3 on: June 04, 2012, 12:39:22 pm »
Jimp,

     Can you make a howto on patching this? 

Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14976
  • Karma: +4/-0
    • View Profile
Re: Recent OpenSSL vulnerability
« Reply #4 on: June 04, 2012, 01:23:51 pm »
Step 1. Update to 2.0.2.
Step 2. There is no step 2.

:-)
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline wm408

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Recent OpenSSL vulnerability
« Reply #5 on: June 05, 2012, 05:33:51 pm »
Jimp...

I don't see 2.0.2 in the mirrors, or the firmware updater in the GUI.

What do you think?  Is it a development snap?

Thanks.

Step 1. Update to 2.0.2.
Step 2. There is no step 2.

:-)

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Recent OpenSSL vulnerability
« Reply #6 on: June 06, 2012, 01:24:34 am »
It's not available yet. That issue doesn't pose an imminent threat, we're working on testing the update.

Offline wm408

  • Full Member
  • ***
  • Posts: 115
  • Karma: +0/-0
    • View Profile
Re: Recent OpenSSL vulnerability
« Reply #7 on: June 06, 2012, 04:19:41 pm »
Thanks!


It's not available yet. That issue doesn't pose an imminent threat, we're working on testing the update.