Bug Reports

I've looked around the forums and I don't see anything listed anywhere.  pfSense 2.1.1 is listed as having both 0.9.8g (not vulnerable) and 1.0.1e (vulnerable)--why two different versions in one distro was not explained.  Since my firewall is physically buried at the moment, I can't go to the command line and look to see what's present, so I'll just ask: what is 1.8.1-release running?  And if it is a vulnerable version, when will a patch/upgrade release be done?

Thanks, Mike

Mike, looks like there is a website you can visit to test if your vulnerable. Try this:

http://filippo.io/Heartbleed/

You can not test m0n0wall this way unless it is configured to have its GUI accessible from the WAN which not the default configuration.

m0n0wall is built against  OpenSSL 0.9.8

[OpenSSL 0.9.8 branch is NOT vulnerable]

Looks like 1.8.1 is not vulnerable then.

http://heartbleed.com/

What versions of the OpenSSL are affected?

Status of different versions:

•     OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
      OpenSSL 1.0.1g is NOT vulnerable
      OpenSSL 1.0.0 branch is NOT vulnerable
      OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.

Thank you guys so much for the help.  Of course the GUI isn't accessible from the WAN, but I was thinking something else that might be using OpenSSL might be vulnerable like VPN, NTP, etc.  In any case, this makes me feel better even if it isn't being used for anything at the moment.