-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-14_06.openssl                                    Security Advisory
                                                                      pfSense

Topic:          

Category:       pfSense Base System and Packages
Module:         openssl
Announced:      2014-04-30
Credits:        FreeBSD
Affects:        pfSense <= 2.1.2
Corrected:      2014-04-30 19:30:00 UTC (Base system)
Corrected:      2014-05-01 16:36:43 UTC (Packages)
CVE Name:       CVE-2010-5298
FreeBSD SA:     FreeBSD-SA-14:09.openssl

0.   Revision History

v1.0  2014-04-30 Initial release.
v1.1  2014-05-02 Corrected Packages resolution timestamp

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls, and
much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any rule
sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the web
interface. Users unfamiliar with commercial-grade firewalls may encounter a
short learning curve.

- From the FreeBSD SA:
FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which
requests the library to release the memory it holds when a read or write buffer
is no longer needed for the context.

II.  Problem Description

- From the FreeBSD SA:
The buffer may be released before the library have finished using it.  It is
possible that a different SSL connection in the same process would use the
released buffer and write data into it.

III. Impact

- From the FreeBSD SA:
An attacker may be able to inject data to a different connection that they
should not be able to.

IV.  Workaround

No workaround is available, but systems that do not use OpenSSL to implement
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols, or are not using SSL_MODE_RELEASE_BUFFERS and use the same process
to handle multiple SSL connections, are not vulnerable.

The pfSense base system service daemons and utilities do not use the
SSL_MODE_RELEASE_BUFFERS mode.  However, some packages or third-party software
may use this mode to reduce their memory footprint and may therefore be affected
by this issue.


V.   Solution

Perform the following:

1) Upgrade to pfSense 2.1.3 upon its release. This can be
performed in the web interface or from the console.
See https://doc.pfsense.org/index.php/Upgrade_Guide

2) Ensure that all packages are up-to-date after the upgrade. pfSense uses PBI
style packages which include their own copy of the libraries they require. Such
packages must be updated independently to ensure that no vulnerable libraries
are still in use.

VI.  Correction details

The OpenSSL package was updated to 1.0.1_11 (1.0.1g + Patches)
Additionally, packages were recompiled against the udpated library.

The OpenSSL library was updated to 1.0.1_11 from FreeBSD ports (1.0.1g +
Patches). Firmware images and packages were rebuilt using the updated library.

VII. References
<URL:http://www.freebsd.org/security/advisories/FreeBSD-SA-14:09.openssl.asc>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-14_06.openssl.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTY9MPAAoJEBO5h/2SFPjaMBgP/081G8aWC9ahIKSA5T+YLnQl
PG9RwsgACPjcCXeQ5FlQ9dLZlxfjV1VxzO1+9DtLJJNc//1zLOYLy0srj2tX+x7g
INtl56KhXBbLEXep9fXGWFRPd3sren96nikhgurZFxRA0kXfz1IlclMWGLXy5oI8
4JD9oWhH//eF1/DVqoAcsmkNZZsZNq+fqTzE360yPkNpvzevl4uaunoe0F7Ib8qr
qNlEHIvxIWVWv3ZTZxgnz2ddV5zsLI6cD+0avjv+7U1DYLZiIYWtZlSXkEZmLjsK
cB506/uLT4Av+k2sdcQf7sRLdIhVT9NY9vb9xjvKSQcci7rB1+OasUbkj5e31tkc
8ssyjSak4GV2z74Oc1jfWa56tuHRaApyUSd6pX5149qnwFcXuH/jndjd0tCsuhTs
LIcirOyhpDwSe9tiNV44EgXWBr2K2PVkHDobcW8nBvtYo1lUR0d4nuZVtXu91MaK
KY79EBVOyPtIWMJxEQqMF5j+Vi2r7kDjBohdz5G/3vr1CFV98yAH5DB0V4nY9pf9
lMFM/fZZ5ZcTuNNSWAV/Uu6Iozd8HCsxAd7K6JRc2oxZaQbgmFmUAAEClYP7S6m+
FyEGel4TjjtImgpxWyC9Qnafdr+kswv3q0No0NknfndMUfVovK2UJRdXAF6GKfwk
grtevcKJRKO+CvEo7B8H
=O8fB
-----END PGP SIGNATURE-----