openssl-1.0.2t,1 is vulnerable

bruci3 · December 31, 2019, 11:12:50 PM

Hi all,

I just updated my Opnsense to latest version.

OPNsense 19.7.8-amd64
FreeBSD 11.2-RELEASE-p16-HBSD
OpenSSL 1.0.2t 10 Sep 2019

I got this when running security audit:

***GOT REQUEST TO AUDIT SECURITY***
vulnxml file up-to-date
openssl-1.0.2t,1 is vulnerable:
OpenSSL -- Overflow vulnerability
CVE: CVE-2019-1551
WWW: https://vuxml.freebsd.org/freebsd/d778ddb0-2338-11ea-a1c7-b499baebfeaf.html

1 problem(s) in 1 installed package(s) found.
***DONE***

Should I be concerned? If so, is there anything I can do about it?

fabian · January 01, 2020, 12:09:49 AM

Looks like it is only triggered on key generation and only when generating weak keys.

bruci3 · January 01, 2020, 12:42:39 AM

Thanks for the prompt reply.

franco · January 07, 2020, 02:31:25 PM

Guys, please don't post vulnerability reports. We do all get the same report and we already work on inclusion whether you've seen it or not. ;)

The report is solely for you in three separate ways:

1. You know a security bug was found in the software and somebody is/was working on a fix.
2. You know the details to be able to mitigate the issue if possible.
3. You know an OPNsense update is coming eventually to address this.

Cheers,
Franco

openssl-1.0.2t,1 is vulnerable

bruci3

December 31, 2019, 11:12:50 PM

fabian

January 01, 2020, 12:09:49 AM #1

bruci3

January 01, 2020, 12:42:39 AM #2

franco

January 07, 2020, 02:31:25 PM #3