From owner-freebsd-questions@freebsd.org  Mon Nov 13 17:40:47 2017
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0403DDC01EC
 for <freebsd-questions@mailman.ysv.freebsd.org>;
 Mon, 13 Nov 2017 17:40:47 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from echo.brtsvcs.net (echo.brtsvcs.net [IPv6:2607:f740:c::4ae])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id E691E7663F
 for <freebsd-questions@freebsd.org>; Mon, 13 Nov 2017 17:40:46 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from chombo.houseloki.net (unknown
 [IPv6:2601:1c2:1400:8d31:21c:c0ff:fe7f:96ee])
 by echo.brtsvcs.net (Postfix) with ESMTPS id 2C90038F89;
 Mon, 13 Nov 2017 09:40:46 -0800 (PST)
Received: from [IPv6:2601:1c2:1400:8d31:ed5f:2adb:97f:1e30] (unknown
 [IPv6:2601:1c2:1400:8d31:ed5f:2adb:97f:1e30])
 by chombo.houseloki.net (Postfix) with ESMTPSA id 0D74F28A;
 Mon, 13 Nov 2017 09:40:45 -0800 (PST)
Subject: Re: OpenSSL CVE-2017-3736
To: Andrea Venturoli <ml@netfence.it>, freebsd-questions@freebsd.org
References: <a8f10b91-f0fa-77b1-cd98-993b31a11e66@netfence.it>
From: Mel Pilgrim <list_freebsd@bluerosetech.com>
Message-ID: <6c8cfb16-f752-05a9-8739-808246f92e8d@bluerosetech.com>
Date: Mon, 13 Nov 2017 09:40:44 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101
 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <a8f10b91-f0fa-77b1-cd98-993b31a11e66@netfence.it>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.25
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 17:40:47 -0000

On 11/13/2017 08:17, Andrea Venturoli wrote:
> Hello.
> 
> A little bit out of curiosity and a little bit to plan my work...
> 
> I thought any version of FreeBSD would be affected by this 
> vulnerability, but heard nothing on the list.
> 
> Am I wrong? Are we safe?
> Is a SA coming?

OpenSSL in 11.1 is 1.0.2k, so no, no, and yes (hopefully).

> 
> I see devel/openssl was upgraded to 1.0.2m. Are we expected to go the 
> port way?

That's not possible in all cases, but if you can, building with ports 
openssl is a good idea. Also, you'll need to use head, because 
security/openssl in 2017Q4 is still 1.0.2l.