# OpenSSL vulnerabilities



## nforced (Apr 11, 2014)

A friend told me today OpenSSL is currently vulnerable and I didn't believed him so I just checked http://www.openssl.org/news/vulnerabilities.html and saw there are several vulnerabilities found which affect the version I have at the moment 


```
openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013
```

and there are no updates available.
I wonder what a paranoid admin will do in such case?

Thanks!


----------



## Juanitou (Apr 11, 2014)

I’m not a administrator but a desktop user, but `freebsd-update` brought the required updates several days ago.

But I’m maybe wrong for your case…


----------



## ManaHime (Apr 11, 2014)

You may find this FreeBSD Security Advisory to be usefull.

Edit: Haha I was beat to it by a minute  :e


----------



## nforced (Apr 11, 2014)

I did this before posting:

```
3) To update your vulnerable system via a binary patch:
# freebsd-update fetch
# freebsd-update install
```

and indeed I saw this related output:

```
/usr/include/openssl/bn.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.7
/usr/lib/libssl_p.a
/usr/lib32/libcrypto.a
/usr/lib32/libcrypto.so.7
/usr/lib32/libcrypto_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so.7
/usr/lib32/libssl_p.a
/usr/src/crypto/openssl/crypto/bn/bn.h
/usr/src/crypto/openssl/crypto/bn/bn_lib.c
/usr/src/crypto/openssl/crypto/ec/ec2_mult.c
/usr/src/crypto/openssl/ssl/d1_both.c
/usr/src/crypto/openssl/ssl/t1_lib.c
```

then after reboot I still see the same:

```
openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013
```

I also checked I don't have ports version

```
pkg info | grep ssl
```
and because of that I get confused, how do I verify my system openssl is patched/updated?


----------



## ljboiler (Apr 11, 2014)

I looked at the actual patch file, and it doesn't appear that it changes the version information displayed by openssl.  My guess is that is by design, as the patch only fixes the vulnerabilities and doesn't include anything other changes that the actual newer version of OpenSSL might include.


----------



## zspider (Apr 11, 2014)

Updated my system, it says the same thing. Followed  the instructions and I don't see any one saying it should be otherwise, so I think it's safe to assume it's fine.


----------



## mj12net (Apr 13, 2014)

nforced said:
			
		

> I did this before posting:
> 
> ```
> 3) To update your vulnerable system via a binary patch:
> ...


----------



## fernandel (Apr 14, 2014)

mj12net said:
			
		

> nforced said:
> 
> 
> 
> ...


.
I had the same problem on FreeBSD 10.0-RELEASE (amd64)


----------



## kpa (Apr 14, 2014)

Run the install part like this and look at the resulting log file to see which command is actually segfaulting :

`script /tmp/freebsd-update-install.log sh -x /usr/sbin/freebsd-update install`


----------



## fernandel (Apr 14, 2014)

kpa said:
			
		

> Run the install part like this and look at the resulting log file to see which command is actually segfaulting :
> 
> `script /tmp/freebsd-update-install.log sh -x /usr/sbin/freebsd-update install`



Thank you very much.
Mine log looks okay and I didn't found anything wrong.


----------

