Noob: How to upgrade OpenSSL version?

[dangerzone9k]

Hi all,

I need to upgrade my FreeBSD boxes because of the new OpenSSL vulnerability. Below are the versions of OpenSSL running on them. I have FreeBSD 9.0 installed on the boxes. There is a new OpenSSL vulnerability CVE-2014-0224 and I need to upgrade. Can someone help me? Let me know if you need further information from me.

Mentor	0.9.8q	FreeBSD
DMZ sensor	0.9.8y	FreeBSD
Internal sensor	0.9.8y	FreeBSD
Connect	0.9.8q	FreeBSD

From reading http://www.openssl.org/news/secadv_20140605.txt (security advisory) it says to upgrade to 0.9.8za.

Thanks in advance!

 

[fonz]

If you are using the version of OpenSSL that came with the release you are using, use freebsd-update as described in this section of the Handbook. If you are using OpenSSL from the ports tree, updating the ports tree and rebuilding OpenSSL (same Handbook, different chapter) should do it.

Feel free to follow up if you have any remaining questions.

Also, please note that FreeBSD 9.0-RELEASE has reached EoL (End of Life) and is no longer officially supported. You'll probably want to upgrade to a supported version of FreeBSD.

 

[dangerzone9k]

Hi Fonz,

On my Mentor box which is running 0.9.8q I did sudo freebsd-update fetch followed by sudo freebsd-update install. When I do openssl version -a I still see the same vulnerable version running. I did see the message that 9.0-RELEASE is EOL.

 

[fonz]

On my Mentor box which is running 0.9.8q I did sudo freebsd-update fetch followed by sudo freebsd-update install. When I do openssl version -a I still see the same vulnerable version running. I did see the message that 9.0-RELEASE is EOL.

That last bit might be the problem. Reading the SA (Security Advisory), I see that revision numbers for safe 9.X versions are only given for 9.1, 9.2 and 9-STABLE. I suspect that EoL versions just don't get security updates any more.

 

[kpa]

On my Mentor box which is running 0.9.8q I did sudo freebsd-update fetch followed by sudo freebsd-update install. When I do openssl version -a I still see the same vulnerable version running. I did see the message that 9.0-RELEASE is EOL.

That last bit might be the problem. Reading the SA (Security Advisory), I see that revision numbers for safe 9.X versions are only given for 9.1, 9.2 and 9-STABLE. I suspect that EoL versions just don't get security updates any more.

Yes, your suspicion is correct. None of the unsupported branches will get any security or errata fixes after the support has ended.

 

[fonz]

Yes, your suspicion is correct. None of the unsupported branches will get any security or errata fixes after the support has ended.

@@dangerzone9k: Which means that the only way of protecting your box(es) will be to update to a supported release. Not because we don't care or don't want to help, but because EoL versions simply do not get updates any more. Coming from 9.0-RELEASE, you can use freebsd-update to perform a binary upgrade to 9.1-RELEASE or (preferably) 9.2-RELEASE. The procedure is explained in the same chapter of the Handbook that I referenced above. Moreover, a minor update (going to a supported 9.X release) is not as big a deal as a major update (going to 10.X).

 

[junovitch@]

@dangerzone9k, there is a well defined process for security issues with FreeBSD. I would recommend taking a look at http://www.freebsd.org/security/advisories.html as there have been six OpenSSL vulnerabilities since 9.0-RELEASE came out and 36 security issues total that your system has likely been exposed to all this time.

 

[dangerzone9k]

Thanks for the information everyone. I'm going to upgrade to a supported version of FreeBSD and will post if I run into any issues.

Thanks!