openSSL 3.0.7 - any timelines yet?

chemlud · November 01, 2022, 11:15:58 AM

https://www.computerweekly.com/news/252526709/Prepare-today-for-potentially-high-impact-OpenSSL-bug

...?

ProximusAl · November 01, 2022, 12:19:01 PM

It's my understanding that OPNSense uses OPENSSL 1.1.1 so it's not affected.

seed · November 01, 2022, 01:08:15 PM

root@OPNsense:~ # openssl version
OpenSSL 1.1.1o-freebsd 3 May 2022

Edit:

Versions OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

almodovaris · November 01, 2022, 01:25:08 PM

root@OPNsense:~ # /usr/local/bin/openssl version
OpenSSL 1.1.1q 5 Jul 2022

chemlud · November 01, 2022, 02:30:31 PM

So it's consensus that only 3.x is vulnerable? Any source for that conclusion yet?

ProximusAl · November 01, 2022, 02:53:51 PM

Erm...yes....the very hyperlink you posted above?

Patrick M. Hausen · November 01, 2022, 02:54:51 PM

@chemlud - the article you linked in your initial post?

QuoteWhat is known is that the incoming vulnerability only affects 3.0.x versions of OpenSSL

What's all the fuss about? OPNsense does not use this particular product, why should Deciso or the OPNsense team publish anything at all?

chemlud · November 01, 2022, 04:52:53 PM

I asked two questions, I don't see any "fuss". Nice to know that sense is not affected...

RamSense · November 01, 2022, 06:25:45 PM

jup indeed.
The only strange thing I found was that opnsense gui states:
OPNsense 22.7.6-amd64
FreeBSD 13.1-RELEASE-p2
OpenSSL 1.1.1q 5 Jul 2022

and the terminal window:
openssl version
OpenSSL 1.1.1o-freebsd

so why is the gui claiming version 1q and terminal gives back 1o?

Deku · November 01, 2022, 06:48:16 PM

What about LibreSSL? My OpnSense is currently on LibreSSL 3.3.6. I see version 3.6.1 was just released but not sure if this vuln applies.

Fright · November 01, 2022, 07:14:56 PM

@RamSense

Quoteso why is the gui claiming version 1q and terminal gives back 1o?

widget shows ports version (/usr/local/bin/openssl version)
shell shows base (OS) version (/usr/bin/openssl version)

@Deku
no
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
openssl only.
3.0 branch only

RamSense · November 01, 2022, 08:40:16 PM

@Fright, ah, thanks for explaining!

almodovaris · November 01, 2022, 10:25:06 PM

openssl 1.1.1s has been published.

ibb27 · November 02, 2022, 09:18:21 AM

Quote from: Deku on November 01, 2022, 06:48:16 PM
What about LibreSSL? My OpnSense is currently on LibreSSL 3.3.6. I see version 3.6.1 was just released but not sure if this vuln applies.

https://marc.info/?t=166716388700001&r=1&w=2

chemlud · November 02, 2022, 09:55:36 AM

Is LibreSSL still functional with 22.7.x? It was my understanding that support of LibreSSL would be deleted with 22.7 (but for the last months I didn't have the ttime to follow up) so I switched to openSSL before updating to 22.7...

openSSL 3.0.7 - any timelines yet?

chemlud

November 01, 2022, 11:15:58 AM

ProximusAl

November 01, 2022, 12:19:01 PM #1

seed

November 01, 2022, 01:08:15 PM #2 Last Edit: November 01, 2022, 01:28:44 PM by seed

almodovaris

November 01, 2022, 01:25:08 PM #3

chemlud

November 01, 2022, 02:30:31 PM #4

ProximusAl

November 01, 2022, 02:53:51 PM #5

Patrick M. Hausen

November 01, 2022, 02:54:51 PM #6

chemlud

November 01, 2022, 04:52:53 PM #7

RamSense

November 01, 2022, 06:25:45 PM #8

Deku

November 01, 2022, 06:48:16 PM #9

Fright

November 01, 2022, 07:14:56 PM #10

RamSense

November 01, 2022, 08:40:16 PM #11

almodovaris

November 01, 2022, 10:25:06 PM #12

ibb27

November 02, 2022, 09:18:21 AM #13

chemlud

November 02, 2022, 09:55:36 AM #14