From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 02:29:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CE8ED2D5 for ; Tue, 8 Apr 2014 02:29:21 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id B492B1457 for ; Tue, 8 Apr 2014 02:29:21 +0000 (UTC) Received: from delphij-macbook.local (c-24-5-244-32.hsd1.ca.comcast.net [24.5.244.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id AFC70C35A; Mon, 7 Apr 2014 19:29:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1396924160; bh=suRaBJoXeEZmRimw25zDOJaXEC7HsidnwgnqKfP155A=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=mK77QYDrTPIk3bqTn+JKSp+EyU/0CfZQhIxqIddN6Jd64Vp7h1CoPVYZm36hjxj7X h2uGsTu7bQrNmvLsacWikR+HPoJ/hF6KWS61/Fe0nwzL9y4VEoB7t1N19DesIPqMG4 dNPmiUGfiShFkB4FE/6TedcYb3Pcww4QeU7YNAlc= Message-ID: <53435EFE.4010103@delphij.net> Date: Mon, 07 Apr 2014 19:29:18 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa , d@delphij.net, freebsd-security@freebsd.org Subject: Re: http://heartbleed.com/ References: <53430F72.1040307@gibfest.dk> <53431275.4080906@delphij.net> <53435E7D.5000801@sentex.net> In-Reply-To: <53435E7D.5000801@sentex.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 02:29:21 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 4/7/14, 7:27 PM, Mike Tancsa wrote: > On 4/7/2014 5:02 PM, Xin Li wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 >> >> Hi, Thomas, >> >> On 04/07/14 13:49, Thomas Steen Rasmussen wrote: >>> Hello, >>> >>> http://heartbleed.com/ describes an openssl vulnerability >>> published today. We are going to need an advisory for the >>> openssl in base in FreeBSD 10 and we are also going to need an >>> updated port. >>> >>> The implications of this vulnerability are pretty massive, >>> certificates will need to be replaced and so on. I don't want >>> to repeat the page, so go read that. >> >> We are already working on this but building, reviewing, etc. >> would take some time. >> > > Hi, The webpage lists > > FreeBSD 8.4 (OpenSSL 1.0.1e) and 9.1 (OpenSSL 1.0.1c) > > I take it this is only if you installed from the ports no ? That's correct. OpenSSL shipped with the base system in these two releases are not vulnerable because they don't support the extension. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTQ179AAoJEJW2GBstM+nsIa4P/RAXDidWzc01T2ghX4uNFtod C2Wd2k2B6i24LcV3PPub6dQjRI9sMxh9Q/7bIqXctThJ41U9s44P7Zvf6T7Xh/LY YM4FBAFKNiMC+WZsS78pGW6pYIULml66El7sb/G6DNOzjezWlD3MwnPo2S0nibQJ BDJ0pU3BH0A2rvyDWmF7aAveJtEuFPCCovytadStHiFZk3nKMwdN0ariLVq8JFlU s5uqf0rWRXuYIIJ2/Fv9XxUHWi0RrvyXojfdPVNIhEppmdswCzxyb+PLOBbWuZZp 9ma/ELuo8VJmmsP2A0zX2PriejfFtTR7vXP8V3VwP8RvS2YRFH44Bmyllxn2eYYI HbemABH2A5rCiMbEu32AGX7i1HikWScwKNIEJbK35BEIb9g3UGRFuxeRw9J6mTyd 44hMRO1YeyHv/nuSQ+g+d+nzB1dBYSq7YbG5UAPs0v+5fbnoPTU/28olKx1br83H BZdO+y8VUppNnRWL2wvnsbd1M8/nGABNBD9tco9ftlN0jUpFtSXkPEt20JWwZS/l HiD328EnTJKgB5nllizsCDIgaTDUYMeH6Bf8QJ54t+Cfu6sS1YYCv2/ycu5tKfqv yRU6ypV82kye/fRBkFj4JwCOXcPozm+9uPAG9bk1355w+EyKmMrba79BvwtQ+uUj PXJpfmZifPnNDBTXrg2d =FDDO -----END PGP SIGNATURE-----