Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
Audit reports vulnerabilities openssl in 17.7.7
« previous
next »
Print
Pages: [
1
]
Author
Topic: Audit reports vulnerabilities openssl in 17.7.7 (Read 4356 times)
ezhik
Newbie
Posts: 17
Karma: 0
Audit reports vulnerabilities openssl in 17.7.7
«
on:
November 12, 2017, 12:56:44 am »
Running 17.7.7. Running audit reports openssl is vulnerable:
***GOT REQUEST TO AUDIT***
vulnxml file up-to-date
openssl-1.0.2l,1 is vulnerable:
OpenSSL -- Multiple vulnerabilities
CVE: CVE-2017-3736
CVE: CVE-2017-3735
WWW:
https://vuxml.FreeBSD.org/freebsd/f40f07aa-c00f-11e7-ac58-b499baebfeaf.html
1 problem(s) in the installed packages found.
***DONE***
Patched soon?
«
Last Edit: November 12, 2017, 02:02:18 am by ezhik
»
Logged
comet
Full Member
Posts: 117
Karma: 4
Re: Audit reports vulnerabilities openssl in 17.7.7
«
Reply #1 on:
November 12, 2017, 08:44:21 am »
I agree that it would be great if this could be updated fairly soon, but I am just wondering, does OPNsense actually by default expose anything that uses openssl to the WAN port? I guess my thinking is that on a router/firewall, openssl would primarily be used for things like https access to the web GUI, or ssh access to a command line, both of which are by default normally only accessible from the LAN side. I suppose if you are running a VPN server that is accessible from the Internet, that could
possibly
be an issue, but even then I am not sure how. Guess my thinking is that unless you've got some malicious expert hackers on your LAN, this is probably nothing to panic about, but please feel free to enlighten me if I am wrong about that.
But still, I'm all for every bit of security you can get, so if these patches haven't made it into OPNsense already, I hope they do soon.
Logged
I'm a home user of OPNsense, not a networking expert. I'd much appreciate it if you'd keep that in mind if replying to something I posted. Many thanks!
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Audit reports vulnerabilities openssl in 17.7.7
«
Reply #2 on:
November 12, 2017, 10:49:03 am »
The vulnerability tool is a tricky thing: each CVE has its own scope and potential impact.
So far FreeBSD has not issued a security advisory for this, and I also missed the OpenSSL announcement so this went very quietly, mostly because:
One affects amd64 architectures from Intel Broadwell and up, and is, according to the OpenSSL analysis almost impossible to exploit. The other one is a buffer out of bound read for one single byte. It was announced in August but not patched until November because all it could do was a faulty read of X.509 certificate data during display.
If you care about these two, switch to LibreSSL flavour. There is no operational difference except less patching in general.
We will do a larger update in the last two weeks of November, 17.7.7 has been reliable so far.
Cheers,
Franco
Logged
ezhik
Newbie
Posts: 17
Karma: 0
Re: Audit reports vulnerabilities openssl in 17.7.7
«
Reply #3 on:
November 13, 2017, 12:14:23 am »
Thanks.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
17.7 Legacy Series
»
Audit reports vulnerabilities openssl in 17.7.7