OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
« previous next »
  • Print
Pages: [1]

Author Topic: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve  (Read 2328 times)

cw-me

  • Newbie
  • *
  • Posts: 9
  • Karma: 0
    • View Profile
Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
« on: March 17, 2022, 11:52:46 pm »
Hello -

After upgrading to opnsense 22.1.3, I got the message that my flavor of SSL was being let go and that I should switch to openSSL instead, I did so.  However now I'm getting a security vulnerability warning. 

I do my research and see where my version 111m is vulnerable but the fix is in version 111m - how do I update my openssl?  I switched to it from my settings tab, I have no idea where else to find it, nor why it doesn't auto-update it's self.....

Thanks for your help,
Logged

cw-me

  • Newbie
  • *
  • Posts: 9
  • Karma: 0
    • View Profile
Re: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
« Reply #1 on: March 18, 2022, 01:41:58 am »
I have searched for the openssl downloads, but have only found their blog with limited info and nothing on this issue.  I thought I might have to learn how to download and install by hand.

I went to my packages and did a reinstall, that did not help as it just reinstalled this vulnerable versions.

I've read the OPNsense documentation about SSL - nothing I can use there.

Anyone out there. . . . .?
Logged

Greelan

  • Hero Member
  • *****
  • Posts: 1028
  • Karma: 72
    • View Profile
Re: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
« Reply #2 on: March 18, 2022, 03:35:04 am »
Check out the release notes for 22.1.3... :)
Logged

franco

  • Administrator
  • Hero Member
  • *****
  • Posts: 17660
  • Karma: 1611
    • View Profile
Re: Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
« Reply #3 on: March 18, 2022, 08:14:51 am »
Patience... this one was unfortunate on timing. LibreSSL and OpenSSL and FreeBSD all released a fix on Tuesday, but e.g. OpenSSL port was only updated by FreeBSD ports on Wednesday[1]. Since we use an older LibreSSL version we also had to update the port ourselves.

Now ports and OS changes take a day to build and we decided to release Thursday the builds were finished in the night from Tuesday to Wednesday prior to inclusion of the patches... Stopping the build and redoing it would have put the release on a Friday at best or moving to Monday outright so we usually decide to release as planned and follow up the next week, likely on Tuesday or Wednesday instead.

So to reiterate: it takes about 24 hours to receive builds from the nightly infrastructure and we add 24 hours for release engineering, testing and distributing the new release so in sum it takes 48 hours to do it so you can see the Tuesday as security advisory coordination was just that: unfortunate.


Cheers,
Franco

[1] https://cgit.freebsd.org/ports/commit/?id=43741377b14
Logged
  • Print
Pages: [1]
« previous next »
  • OPNsense Forum »
  • English Forums »
  • Tutorials and FAQs »
  • Q - openssl-1.1.1m_2,1 is vulnerable: How to solve
 

OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2