# Security Question Regarding OpenSSL



## Fatman (Jan 11, 2009)

Hi everyone,

I'm running Freebsd 7.0 with pf and openvpn. I'm somewhat new to freebsd and noticed there was a recent security advisor stating a vulnerability with openssl. 

http://forums.freebsd.org/showthread.php?p=8287#post8287

This lead me to believe that i'm vulnerable due to ssh and openvpn using it. I think I have the version of openssl that is installed with the base since i don't see it with pkg_info. Only with "whereis".

# whereis openssl
openssl: /usr/bin/openssl /usr/share/openssl/man/man1/openssl.1.gz /usr/src/secure/usr.bin/openssl

When I ran portaudit -Fda on the box, nothing was found.

# portaudit -Fda
auditfile.tbz                                 100% of   53 kB   54 kBps
New database installed.
Database created: Sun Jan 11 10:10:10 EST 2009
0 problem(s) in your installed packages found.

# pkg_info | grep openvpn
openvpn-2.0.6_9     Secure IP/Ethernet tunnel daemon

Should I proceed anyways with the patching steps instructed in the advisory? Also, does this affect ssh as well?

Thanks,

Fatman


----------



## DutchDaemon (Jan 11, 2009)

If you're using the base system openssl, you can patch as explained in the Security Advisory. The openssl port (which you're not using) has already been patched. Everything using openssl will just work fine after patching; these applications will just call and use openssl as usual.


----------



## cajunman4life (Jan 11, 2009)

FYI - Portaudit will only display security problems with the ports you've installed. Since OpenSSL is in the base (and you didn't install the port version) then portaudit won't show any problems for it.


----------



## Fatman (Jan 11, 2009)

Thanks for the quick response, I really appreciate it.


----------



## Fatman (Jan 11, 2009)

Ok, I tried applying the patch without success. When I run the first command, i get the following output:

# patch < openssl.patch
Hmm...  Looks like a unified diff to me...
The text leading up to this was:
--------------------------
|Index: crypto/openssl/apps/speed.c
|===================================================================
|--- crypto/openssl/apps/speed.c        (revision 186740)
|+++ crypto/openssl/apps/speed.c        (working copy)
--------------------------
File to patch:
No file found--skip this patch? [n]

This is the first time I patch something, so please don't laugh at me. Do i need to put the patch file in the openssl directory or is it failing because i'm logged in via ssh?

Thanks for the help,

Fatman


----------



## DutchDaemon (Jan 11, 2009)

Did you cd to /usr/src before applying the patch?
Do you have the full sources installed?


----------



## Fatman (Jan 11, 2009)

Thanks Dutch,

I'm a moron. It's seems that i have a problem reading! 

I forgot to cd to /usr/src.


----------



## marius (Jan 13, 2009)

A nice alternative to applying patches manually is the freebsd-update utility that is already installed on your system. This will do all the work for you - downloading and applying patches, and you don't even have to recompile anything.

It's as easy to use as this:


```
freebsd-update fetch
freebsd-update install
```

It won't update your kernel if you're not using the GENERIC kernel.


----------

