OPNsense Forum

https://www.computerweekly.com/news/252526709/Prepare-today-for-potentially-high-impact-OpenSSL-bug

...?

It's my understanding that OPNSense uses OPENSSL 1.1.1 so it's not affected.

root@OPNsense:~ # openssl version
OpenSSL 1.1.1o-freebsd  3 May 2022

Edit:

Versions       OPNsense 22.7.6-amd64
                   FreeBSD 13.1-RELEASE-p2
                   OpenSSL 1.1.1q 5 Jul 2022

root@OPNsense:~ # /usr/local/bin/openssl version
OpenSSL 1.1.1q  5 Jul 2022

So it's consensus that only 3.x is vulnerable? Any source for that conclusion yet?

Erm...yes....the very hyperlink you posted above?

@chemlud - the article you linked in your initial post?

QuoteWhat is known is that the incoming vulnerability only affects 3.0.x versions of OpenSSL

What's all the fuss about? OPNsense does not use this particular product, why should Deciso or the OPNsense team publish anything at all?

I asked two questions, I don't see any "fuss". Nice to know that sense is not affected...

jup indeed.
The only strange thing I found was that opnsense gui states:
OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

and the terminal window:
openssl version
OpenSSL 1.1.1o-freebsd

so why is the gui claiming version 1q and terminal gives back 1o?

What about LibreSSL?  My OpnSense is currently on LibreSSL 3.3.6.  I see version 3.6.1 was just released but not sure if this vuln applies.

@RamSense

Quoteso why is the gui claiming version 1q and terminal gives back 1o?

widget shows ports version (/usr/local/bin/openssl version)
shell shows base (OS) version (/usr/bin/openssl version)

@Deku
no
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
openssl only.
3.0 branch only

@Fright, ah, thanks for explaining!

openssl 1.1.1s has been published.

Quote from: Deku on November 01, 2022, 06:48:16 PM
What about LibreSSL?  My OpnSense is currently on LibreSSL 3.3.6.  I see version 3.6.1 was just released but not sure if this vuln applies.

https://marc.info/?t=166716388700001&r=1&w=2

Is LibreSSL still functional with 22.7.x? It was my understanding that support of LibreSSL would be deleted with 22.7 (but for the last months I didn't have the ttime to follow up) so I switched to openSSL before updating to 22.7...

LibreSSL will disappear with 23.1. Right now it's still available but ports breakage continues regularly.

OpenSSL 1.1.1s will be in 22.7.7 which is scheduled for tomorrow (but for other reasons than OpenSSL).


Cheers,
Franco

Thanks for clarification!