OPNsense Forum

Archive => 19.7 Legacy Series => Topic started by: bruci3 on December 31, 2019, 11:12:50 pm

Title: openssl-1.0.2t,1 is vulnerable
Post by: bruci3 on December 31, 2019, 11:12:50 pm

Hi all,

I just updated my Opnsense to latest version.

OPNsense 19.7.8-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019

I got this when running security audit:

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
openssl-1.0.2t,1 is vulnerable:
OpenSSL -- Overflow vulnerability
CVE: CVE-2019-1551
WWW: https://vuxml.FreeBSD.org/freebsd/d778ddb0-2338-11ea-a1c7-b499baebfeaf.html

1 problem(s) in 1 installed package(s) found.
***DONE***

Should I be concerned? If so, is there anything I can do about it?

Title: Re: openssl-1.0.2t,1 is vulnerable
Post by: fabian on January 01, 2020, 12:09:49 am

Looks like it is only triggered on key generation and only when generating weak keys.

Title: Re: openssl-1.0.2t,1 is vulnerable
Post by: bruci3 on January 01, 2020, 12:42:39 am

Thanks for the prompt reply.

Title: Re: openssl-1.0.2t,1 is vulnerable
Post by: franco on January 07, 2020, 02:31:25 pm

Guys, please don't post vulnerability reports. We do all get the same report and we already work on inclusion whether you've seen it or not.  ;)

The report is solely for you in three separate ways:

1. You know a security bug was found in the software and somebody is/was working on a fix.
2. You know the details to be able to mitigate the issue if possible.
3. You know an OPNsense update is coming eventually to address this.


Cheers,
Franco