From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 19:34:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B32A8E5E for ; Thu, 10 Apr 2014 19:34:56 +0000 (UTC) Received: from mail-oa0-x234.google.com (mail-oa0-x234.google.com [IPv6:2607:f8b0:4003:c02::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 7AB491AA3 for ; Thu, 10 Apr 2014 19:34:56 +0000 (UTC) Received: by mail-oa0-f52.google.com with SMTP id l6so4994032oag.39 for ; Thu, 10 Apr 2014 12:34:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=T6VDsGEXqoTAF5K9H7zTuxRS54dNqlOKNPGyxsY5TOw=; b=sJUyqYAp7LFUkmDQxCO6KGoaOqEzW4OsmRIWT0j+vtlWVFPumnc5v0UKBTajQx3iK0 wivGiBieEwCmXdtj2OrW2EKgTz2+g1dRqAoOrUrRZZyB3rHl8FegitBJHJ+Z9Iv1cvwD OE/zVHx5dDFZcHe5kif06emNPoe50pzcSzCNPQO+tBLW+gxl7ONtbc5VmpfaClpIIELi YEvPilHss2DRURyDkTMBoD1v1Ngmw29Smlzop5/5ZKavplWn3+pnJUETeb4ym95kSr+i xtQQ0DCekn6VCIjNfrdHMNvXIoFpnr9avB0Ej4bJfzXsqWW1/JA/45OvGHBRPH7ZGCZs njnQ== MIME-Version: 1.0 X-Received: by 10.182.28.195 with SMTP id d3mr15707511obh.19.1397158495642; Thu, 10 Apr 2014 12:34:55 -0700 (PDT) Sender: ndorfman@gmail.com Received: by 10.60.158.106 with HTTP; Thu, 10 Apr 2014 12:34:55 -0700 (PDT) In-Reply-To: References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> Date: Thu, 10 Apr 2014 15:34:55 -0400 X-Google-Sender-Auth: C_9tijw8kE_WxYcRX0EdHC77qoY Message-ID: Subject: Re: A different proposal From: Nathan Dorfman To: Paul Hoffman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Pawel Biernacki X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 19:34:56 -0000 On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrot= e: > If your reliance on OpenSSL bugs being fixed requires a fix at a rate fas= ter than what the FreeBSD community provides, then you should not rely on t= he FreeBSD community. Install OpenSSL on your mission-critical systems from= OpenSSL source, not from FreeBSD ports or packages. I really don't think one needs to go this far. The workaround provided in the original OpenSSL advisory, recompiling with -DOPENSSL_NO_HEARTBEATS, was directly applicable to FreeBSD. For anyone unsure exactly where to effect that option, it was discussed on this very list. Also posted on this list was a working patch containing the actual fix, on Monday afternoon. So yes, if you want a fully tested, reviewed and supported fix, you had to wait, but anyone in desperate need of an immediate fix had options that didn't involve ditching FreeBSD's OpenSSL. -nd.