# openssl-1.0.2_15,1 is vulnerable



## timypcr (Sep 23, 2016)

I have two FreeBSD 10.3 servers an audit shows the following


```
pkg audit
openssl-1.0.2_15,1 is vulnerable:
OpenSSL -- multiple vulnerabilities
CVE: CVE-2016-6308
CVE: CVE-2016-6307
CVE: CVE-2016-6306
CVE: CVE-2016-2181
CVE: CVE-2016-2179
CVE: CVE-2016-2178
CVE: CVE-2016-2177
CVE: CVE-2016-2180
CVE: CVE-2016-2182
CVE: CVE-2016-6302
CVE: CVE-2016-6303
CVE: CVE-2016-2183
CVE: CVE-2016-6305
CVE: CVE-2016-6304
WWW: https://vuxml.FreeBSD.org/freebsd/43eaa656-80bc-11e6-bf52-b499baebfeaf.html
```

I run the following


```
pkg update
pkg upgrade
```

Still pkg audit shows the same vulnerabilities. How can I force openssl to upgrade to a secure version?

Thanks,
Tim


----------



## DutchDaemon (Sep 23, 2016)

There simply isn't a new version in the ports tree yet (hence no binary package).


```
PORTNAME=       openssl
PORTVERSION=    1.0.2
DISTVERSIONSUFFIX=      h
PORTREVISION=   15
PORTEPOCH=      1
```


----------



## timypcr (Sep 23, 2016)

so if I check back later the package might be available?


----------



## kpa (Sep 23, 2016)

The master SVN repo does have 1.0.2i.


https://svnweb.freebsd.org/ports/head/security/openssl/


----------



## Snurg (Sep 23, 2016)

pkg audit showed a strange behavior on 11-RC1:

```
libxml2 -- multiple vulnabilities
```

Could this be called a spelling regression?  
Anyway, the pkg update / pkg upgrade worked fine here.


----------



## timypcr (Sep 26, 2016)

The patches are still not available, seems like a lack of taken security seriously within FreeBSD.


----------



## Remington (Sep 26, 2016)

I recently switched to use LibreSSL.  You can add `DEFAULT_VERSIONS = ssl=libressl` in /etc/make.conf and recompile your ports.  There's a dirty hack to include LibreSSL in the base system but its not stable. Hopefully FreeBSD will start to use LibreSSL in its base system soon as many other distros have started to use LibreSSL in their base system.


----------



## timypcr (Sep 26, 2016)

I read that starting with FreeBSD 11  LibreSSL will be default and openSSL support maybe dropped altogether. So will LibreSSL work with any existing port under 10.3? Currently I'm only concerned with nginx, apache24, pound, and ngircd. I don't really want to be bothered with testing this at the moment. Since OpenSSL is part of the base system I would expect to see an effort of releasing security patches in a timely manner until the day OpenSSL support is dropped completely.


----------



## Remington (Sep 26, 2016)

Most ports will work.  I use FreeBSD 10.3 and Nginx, Dovecot, and Postfix works fine with LibreSSL.  I don't use Apache so I can't comment.

Curl will throw an error during compilation so you might want to disable one option TLS_SRP.


----------



## SirDice (Sep 27, 2016)

timypcr said:


> Since OpenSSL is part of the base system I would expect to see an effort of releasing security patches in a timely manner until the day OpenSSL support is dropped completely.


Except you're using the port version, not the one from the base. The base version is patched:
https://www.freebsd.org/security/advisories/FreeBSD-SA-16:26.openssl.asc


----------



## Remington (Sep 27, 2016)

SirDice said:


> Except you're using the port version, not the one from the base. The base version is patched:
> https://www.freebsd.org/security/advisories/FreeBSD-SA-16:26.openssl.asc



Do you have any new information on when LibreSSL could be included in the base system?  OpenSSL is becoming a liability to FreeBSD.


----------



## SirDice (Sep 27, 2016)

As far as I know that's planned for FreeBSD 12.


----------



## Remington (Sep 27, 2016)

SirDice said:


> As far as I know that's planned for FreeBSD 12.



Is there a current workaround planned for 10.x and 11.x via make.conf or src.conf options to include LibreSSL in base system during 'build world'?


----------



## kpa (Sep 27, 2016)

Remington said:


> Is there a current workaround planned for 10.x and 11.x via make.conf or src.conf options to include LibreSSL in base system during 'build world'?



I doubt that. It would require backporting of huge amounts of code from CURRENT to those releases to fix all consumers of OpenSSL that make assumptions about availability of certain features that have been removed in LibreSSL.


----------



## Remington (Sep 27, 2016)

kpa said:


> I doubt that. It would require backporting of huge amounts of code from CURRENT to those releases to fix all consumers of OpenSSL that make assumptions about availability of certain features that have been removed in LibreSSL.



In another word, we will have to wait for 2 to 3 years before FreeBSD 12 will be released.  That will be unacceptable for some people or companies who takes security seriously.


----------



## SirDice (Sep 27, 2016)

Although there have been some problems with OpenSSL lately, issues are picked up and patched quite quickly. So I very much doubt this is as big of a problem as you imply.


----------



## kpa (Sep 27, 2016)

In theory the upcoming 10.4-RELEASE could use LibreSSL (if introduced in stable/10 now) but that would break the ABI meaning that binaries compiled on 10.3 wouldn't work out of the box on 10.4. That's a promise you don't want to break.


----------



## Remington (Sep 27, 2016)

SirDice said:


> Although there have been some problems with OpenSSL lately, issues are picked up and patched quite quickly. So I very much doubt this is as big of a problem as you imply.



True but still it's unacceptable for some people (not me) as they might think there are other serious security issues which hasn't been reported or resolved.  There are several major security issues this year including DROWN attack and the recent one.  That is enough to cause concerns about OpenSSL reliability.

TrueOS (formerly PC-BSD) and HardenedBSD currently have LibreSSL in their base system.

Anyway, there's a workaround for FreeBSD presently on LibreBSD (https://github.com/Sp1l/LibreBSD).


----------



## marino (Sep 27, 2016)

DragonFly master branch also has LibreSSL in the base system, although it's "private" meaning only base programs and libraries use it.  Everything else has to use LibreSSL or OpenSSL from ports.   That sets DragonFly apart slightly as TrueOS and HardenedBSD's libreSSL are available for public use.


----------



## DutchDaemon (Sep 27, 2016)

It's all here: https://wiki.freebsd.org/LibreSSL (including ways to get LibreSSL in base).


----------



## timypcr (Sep 27, 2016)

Openssl patches still not available.  I'll give it one more week.


----------



## SirDice (Sep 27, 2016)

https://svnweb.freebsd.org/ports?view=revision&revision=422776


----------



## timypcr (Sep 27, 2016)

so how does this help me when running pkg upgrade?


----------



## Remington (Sep 27, 2016)

You have to use subversion to pull in the source codes and compile FreeBSD.  pkg won't be updated for at least few days but source codes is available immediately.  I'm doing the 'build world' right now.


----------



## SirDice (Sep 27, 2016)

Packages used to be built once a week (every Wednesday IIRC) but this schedule may have been changed already. There was some discussion how often it should and can be done. 

Ports tend to be updated quite quickly, packages will always lag behind a bit. That's an important reason why a lot of us build our own repositories. Setting up your own repository will also "solve" the other issue, it's easy to set LibreSSL as the default instead of OpenSSL.


----------



## timypcr (Oct 3, 2016)

```
Installed packages to be UPGRADED:
        openssl: 1.0.2_14 -> 1.0.2j,1
```

hooray!


----------

