OpenSSL vulnerabilities

A friend told me today OpenSSL is currently vulnerable and I didn't believed him so I just checked http://www.openssl.org/news/vulnerabilities.html and saw there are several vulnerabilities found which affect the version I have at the moment

Code:
openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013

and there are no updates available.
I wonder what a paranoid admin will do in such case?

Thanks!
 
I did this before posting:
Code:
3) To update your vulnerable system via a binary patch:
# freebsd-update fetch
# freebsd-update install

and indeed I saw this related output:
Code:
/usr/include/openssl/bn.h
/usr/lib/libcrypto.a
/usr/lib/libcrypto_p.a
/usr/lib/libssl.a
/usr/lib/libssl.so.7
/usr/lib/libssl_p.a
/usr/lib32/libcrypto.a
/usr/lib32/libcrypto.so.7
/usr/lib32/libcrypto_p.a
/usr/lib32/libssl.a
/usr/lib32/libssl.so.7
/usr/lib32/libssl_p.a
/usr/src/crypto/openssl/crypto/bn/bn.h
/usr/src/crypto/openssl/crypto/bn/bn_lib.c
/usr/src/crypto/openssl/crypto/ec/ec2_mult.c
/usr/src/crypto/openssl/ssl/d1_both.c
/usr/src/crypto/openssl/ssl/t1_lib.c

then after reboot I still see the same:
Code:
openssl version
OpenSSL 1.0.1e-freebsd 11 Feb 2013

I also checked I don't have ports version
Code:
pkg info | grep ssl
and because of that I get confused, how do I verify my system openssl is patched/updated?
 
I looked at the actual patch file, and it doesn't appear that it changes the version information displayed by openssl. My guess is that is by design, as the patch only fixes the vulnerabilities and doesn't include anything other changes that the actual newer version of OpenSSL might include.
 
Updated my system, it says the same thing. Followed the instructions and I don't see any one saying it should be otherwise, so I think it's safe to assume it's fine. :)
 
nforced said:
I did this before posting:
Code:
3) To update your vulnerable system via a binary patch:
# freebsd-update fetch
# freebsd-update install

Install gave me this output.

Code:
Installing updates...Segmentation fault (core dumped)
 done.

Did something go wrong?
 
mj12net said:
nforced said:
I did this before posting:
Code:
3) To update your vulnerable system via a binary patch:
# freebsd-update fetch
# freebsd-update install

Install gave me this output.

Code:
Installing updates...Segmentation fault (core dumped)
 done.

Did something go wrong?
.
I had the same problem on FreeBSD 10.0-RELEASE (amd64)
 
Run the install part like this and look at the resulting log file to see which command is actually segfaulting :

script /tmp/freebsd-update-install.log sh -x /usr/sbin/freebsd-update install
 
kpa said:
Run the install part like this and look at the resulting log file to see which command is actually segfaulting :

script /tmp/freebsd-update-install.log sh -x /usr/sbin/freebsd-update install

Thank you very much.
Mine log looks okay and I didn't found anything wrong.
 
Back
Top