Due to the low severity of this issue we are not issuing new releases ofOpenSSL at this time. The fix will be included in the next releases when theybecome available.
Any answers about the OPnsense patching plan would be appreciated.
Thank you for your quick reply. But that is not my question. My question was not about the severity of this vul., nor the plan of OPenSSL.org, but about the OPNsense's plan to patch it. Anyhow, your reply is highly appreciated.Any answers about the OPnsense patching plan would be appreciated.
Quote from: buddystad on January 09, 2024, 08:02:40 pmAny answers about the OPnsense patching plan would be appreciated.You appear to have received your answer already. Any particular reason you believe that Opnsense's strategy should diverge from that of OpenSSL in this instance?
Quote from: buddystad on January 09, 2024, 08:02:40 pmThank you for your quick reply. But that is not my question. My question was not about the severity of this vul., nor the plan of OPenSSL.org, but about the OPNsense's plan to patch it. Anyhow, your reply is highly appreciated.Any answers about the OPnsense patching plan would be appreciated.O.K., sorry to break this to you in more clarity:Though I cannot speak for the OpnSense developers, my educated guess is that there are no plans to patch this at all in OpnSense before new upstream releases become available. OpnSense is a FreeBSD derivative, which in turn uses OpenSSL - the originator of the ("vulnerable") software, thus it is two levels downstream from the origin of the problem.As I already showed you, OpenSSL themselves have no plans to patch this now. This means that is highly unlikely that the FreeBSD folks will patch it before the next regular OpenSSL release. Which in turn means I cannot imagine that OpnSense will patch it in face of no neccessity to do so.That is just the way how stacked dependencies work in Open Source (tm). If you do not believe me, you can try to do a "vulnerability" scan of a fully up-to-date Ubuntu 22.04 LTS server with the likes of Wazuh or similar. You will find more than 100 current unpatched vulnerabilities, many of which are from Debian (upstream of Ubuntu) with a status of "wontfix" - just because the upstream package developers have no fix either.Some people seem to not understand this and have the childish wish to fix any "vulnerability" that shows up in whatever context. Won't happen. I even know of regulations which demand companies to actively look and fix such vulnerabilities. Then people ask Open Source developers to fix problems at once, which often is only possible by using the next big thing (i.e. next release) of some upstream package. Alas, their developers often do not provide a backport fix because they have done a whole new release already, which in turn cannot be used because of new "features", aka incompatibilities which would have wide-ranging consequences along with the security fix.OpenSSL is one good example for this. Matter-of-fact it is not long ago that FreeBSD switched from OpenSSL 1.0 to 1.1 because of incompatible features.For these reasons, there are few exceptions to the rule "if upstream does not fix it, we won't, either". Probably with CVSS scores > 8, but only if the scenario allows exploitation, none of which is the case here.