OPNsense Forum

English Forums => Tutorials and FAQs => Topic started by: cw-me on March 17, 2022, 11:52:46 pm

Title: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
Post by: cw-me on March 17, 2022, 11:52:46 pm

Hello -

After upgrading to opnsense 22.1.3, I got the message that my flavor of SSL was being let go and that I should switch to openSSL instead, I did so.  However now I'm getting a security vulnerability warning. 

I do my research and see where my version 111m is vulnerable but the fix is in version 111m - how do I update my openssl?  I switched to it from my settings tab, I have no idea where else to find it, nor why it doesn't auto-update it's self.....

Thanks for your help,

Title: Re: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
Post by: cw-me on March 18, 2022, 01:41:58 am

I have searched for the openssl downloads, but have only found their blog with limited info and nothing on this issue.  I thought I might have to learn how to download and install by hand.

I went to my packages and did a reinstall, that did not help as it just reinstalled this vulnerable versions.

I've read the OPNsense documentation about SSL - nothing I can use there.

Anyone out there. . . . .?

Title: Re: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
Post by: Greelan on March 18, 2022, 03:35:04 am

Check out the release notes for 22.1.3... :)

Title: Re: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
Post by: franco on March 18, 2022, 08:14:51 am

Patience... this one was unfortunate on timing. LibreSSL and OpenSSL and FreeBSD all released a fix on Tuesday, but e.g. OpenSSL port was only updated by FreeBSD ports on Wednesday[1]. Since we use an older LibreSSL version we also had to update the port ourselves.

Now ports and OS changes take a day to build and we decided to release Thursday the builds were finished in the night from Tuesday to Wednesday prior to inclusion of the patches... Stopping the build and redoing it would have put the release on a Friday at best or moving to Monday outright so we usually decide to release as planned and follow up the next week, likely on Tuesday or Wednesday instead.

So to reiterate: it takes about 24 hours to receive builds from the nightly infrastructure and we add 24 hours for release engineering, testing and distributing the new release so in sum it takes 48 hours to do it so you can see the Tuesday as security advisory coordination was just that: unfortunate.


Cheers,
Franco

[1] https://cgit.freebsd.org/ports/commit/?id=43741377b14