From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 18:45:41 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 304222C0 for ; Tue, 8 Apr 2014 18:45:41 +0000 (UTC) Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com [IPv6:2607:f8b0:4003:c01::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id ED3601468 for ; Tue, 8 Apr 2014 18:45:40 +0000 (UTC) Received: by mail-ob0-f173.google.com with SMTP id gq1so1488855obb.18 for ; Tue, 08 Apr 2014 11:45:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=Vx7CbTQB4JyeOS/uSDzLwoz/ILSMffRuG9ynvLAzu6A=; b=Nnwz6HM5Te4gw2uBsQXgGaoKRVL30e+7Tj8g3KwPeI8BWmVzFzWD1gwUI2o+7JoTVA PWao1AYwueKvtMZTrT9thLPcXlFfSoMFH8VmsrgrLKwV1+4mvt6gWUOnSoUehi+BCwPq ZMzIyjklWmb42sckn/MHGt9kNk8GtbEM6h+rO7Xf3xScJr/ZTG52p0L0485W0OcORtWh WSblZt8VIqdT7lQatnppV61iVEJBzgy5CVL3pUaF16aYyGFMkie/51VJErIyvYfpZX1T QGIYB7yMa7icgldXedlacOuBgL1pZpIFIEOLIm1PMzu6PW95xBJr8D88H98j3f2HDIdC brJg== MIME-Version: 1.0 X-Received: by 10.60.48.106 with SMTP id k10mr4779994oen.20.1396982740230; Tue, 08 Apr 2014 11:45:40 -0700 (PDT) Sender: ndorfman@gmail.com Received: by 10.60.158.106 with HTTP; Tue, 8 Apr 2014 11:45:40 -0700 (PDT) In-Reply-To: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa> References: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa> Date: Tue, 8 Apr 2014 14:45:40 -0400 X-Google-Sender-Auth: sSXiI24pUGyv9sxRWVRCnqX-P4E Message-ID: Subject: Re: FreeBSD's heartbleed response From: Nathan Dorfman To: Merijn Verstraaten Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 18:45:41 -0000 Are you sure about that? The only email I saw stated that FreeBSD 8.x and 9.x weren't vulnerable because they were using an older OpenSSL, from before the vulnerability was introduced. FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in the Makefile there. So I may well be missing something, but it looks vulnerable at first glance. -nd. On Tue, Apr 8, 2014 at 2:17 PM, Merijn Verstraaten wrote: > Unless I misunderstood earlier emails, the heartbeat extension os ALREADY > disabled in base, therefore FreeBSD base isn't vulnerable and the only > problem is people who installed a newer OpenSSL from ports. > > Cheers, > Merijn > > > ----- Reply message ----- > From: "Nathan Dorfman" > To: "Mike Tancsa" > Cc: > Subject: FreeBSD's heartbleed response > Date: Tue, Apr 8, 2014 20:05 > > Someone please correct me if I'm wrong, but I think simply adding > -DOPENSSL_NO_HEARTBEATS to crypto/openssl/Makefile (and recompiling!) is > sufficient to remove the vulnerability from the base system. > > -nd. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"