Author Topic: openSSL 3.0.7 - any timelines yet? (Read 3942 times)

chemlud · « **on:** November 01, 2022, 11:15:58 am »

https://www.computerweekly.com/news/252526709/Prepare-today-for-potentially-high-impact-OpenSSL-bug

...?

ProximusAl · « **Reply #1 on:** November 01, 2022, 12:19:01 pm »

It's my understanding that OPNSense uses OPENSSL 1.1.1 so it's not affected.

seed · « **Reply #2 on:** November 01, 2022, 01:08:15 pm »

root@OPNsense:~ # openssl version
OpenSSL 1.1.1o-freebsd 3 May 2022

Edit:

Versions OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

almodovaris · « **Reply #3 on:** November 01, 2022, 01:25:08 pm »

root@OPNsense:~ # /usr/local/bin/openssl version
OpenSSL 1.1.1q 5 Jul 2022

chemlud · « **Reply #4 on:** November 01, 2022, 02:30:31 pm »

So it's consensus that only 3.x is vulnerable? Any source for that conclusion yet?

ProximusAl · « **Reply #5 on:** November 01, 2022, 02:53:51 pm »

Erm...yes....the very hyperlink you posted above?

Patrick M. Hausen · « **Reply #6 on:** November 01, 2022, 02:54:51 pm »

@chemlud - the article you linked in your initial post?

Quote

What is known is that the incoming vulnerability only affects 3.0.x versions of OpenSSL

What's all the fuss about? OPNsense does not use this particular product, why should Deciso or the OPNsense team publish anything at all?

chemlud · « **Reply #7 on:** November 01, 2022, 04:52:53 pm »

I asked two questions, I don't see any "fuss". Nice to know that sense is not affected...

RamSense · « **Reply #8 on:** November 01, 2022, 06:25:45 pm »

jup indeed.
The only strange thing I found was that opnsense gui states:
OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

and the terminal window:
openssl version
OpenSSL 1.1.1o-freebsd

so why is the gui claiming version 1q and terminal gives back 1o?

Deku · « **Reply #9 on:** November 01, 2022, 06:48:16 pm »

What about LibreSSL? My OpnSense is currently on LibreSSL 3.3.6. I see version 3.6.1 was just released but not sure if this vuln applies.

Fright · « **Reply #10 on:** November 01, 2022, 07:14:56 pm »

@RamSense

Quote

so why is the gui claiming version 1q and terminal gives back 1o?

widget shows ports version (/usr/local/bin/openssl version)
shell shows base (OS) version (/usr/bin/openssl version)

@Deku
no
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
openssl only.
3.0 branch only

RamSense · « **Reply #11 on:** November 01, 2022, 08:40:16 pm »

@Fright, ah, thanks for explaining!

almodovaris · « **Reply #12 on:** November 01, 2022, 10:25:06 pm »

openssl 1.1.1s has been published.

ibb27 · « **Reply #13 on:** November 02, 2022, 09:18:21 am »

Quote from: Deku on November 01, 2022, 06:48:16 pm

What about LibreSSL? My OpnSense is currently on LibreSSL 3.3.6. I see version 3.6.1 was just released but not sure if this vuln applies.

https://marc.info/?t=166716388700001&r=1&w=2

chemlud · « **Reply #14 on:** November 02, 2022, 09:55:36 am »

Is LibreSSL still functional with 22.7.x? It was my understanding that support of LibreSSL would be deleted with 22.7 (but for the last months I didn't have the ttime to follow up) so I switched to openSSL before updating to 22.7...

Author Topic: openSSL 3.0.7 - any timelines yet? (Read 3942 times)

chemlud

openSSL 3.0.7 - any timelines yet?

ProximusAl

Re: openSSL 3.0.7 - any timelines yet?

seed

Re: openSSL 3.0.7 - any timelines yet?

almodovaris

Re: openSSL 3.0.7 - any timelines yet?

chemlud

Re: openSSL 3.0.7 - any timelines yet?

ProximusAl

Re: openSSL 3.0.7 - any timelines yet?

Patrick M. Hausen

Re: openSSL 3.0.7 - any timelines yet?

chemlud

Re: openSSL 3.0.7 - any timelines yet?

RamSense

Re: openSSL 3.0.7 - any timelines yet?

Deku

Re: openSSL 3.0.7 - any timelines yet?

Fright

Re: openSSL 3.0.7 - any timelines yet?

RamSense

Re: openSSL 3.0.7 - any timelines yet?

almodovaris

Re: openSSL 3.0.7 - any timelines yet?

ibb27

Re: openSSL 3.0.7 - any timelines yet?

chemlud

Re: openSSL 3.0.7 - any timelines yet?