08/04/2014 21:44 - Daniel Howard wrote:
> Hello,
>
> Per the heartbleed vulnerability, I'm looking at a vulneranle pfsense
> firewall appliance:
>
> # /usr/bin/openssl version
> OpenSSL 0.9.8y 5 Feb 2013
> # /usr/local/bin/openssl version
> OpenSSL 1.0.1e 11 Feb 2013
> # ldd /usr/local/sbin/openvpn | grep libssl
> libssl.so.8 => /usr/local/lib/libssl.so.8 (0x8007e9000)
>
> Per Brian Drewery, the port has been fixed, but this appliance does not
> have ports installed.
>
> I see an openssl package here:
>
ftp://ftp.freebsd.org/pub/FreeBSD/ports/amd64/packages-8-stable/Latest/openssl.tbz
>
> At this moment, the timestamp is January. Can one reasonably expect that
> there is a process building updated packages for this branch? Can anyone
> advise how long before a new openssl package is published here? Or should
> I spin up an 8.3 box to build a package?
>
> Has anyone else here patched a pfsense appliance yet? Last I saw their fix
> ETA is Thursday.
>
>
> Thanks,
> -danny
>
> --
> http://dannyman.toldme.com
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at
freebsd.org"
>
For pfsense, you should definitely ask this question in the pfsense forum
(http://forum.pfsense.org/). Pfsense is essentially a fork of FreeBSD and they
have their own type of package system. They just released version 2.1.1 a few
days ago, but I doubt it includes the latest patches of openssl.
--
Carlo Strub
Ports committer