From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 18:53:17 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 720086AA for ; Tue, 8 Apr 2014 18:53:17 +0000 (UTC) Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com [IPv6:2607:f8b0:400d:c00::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 316CE159B for ; Tue, 8 Apr 2014 18:53:17 +0000 (UTC) Received: by mail-qa0-f52.google.com with SMTP id dc16so83072qab.11 for ; Tue, 08 Apr 2014 11:53:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=oOQNoWE7tAHHu4wRIJa7UDEPY78HAZ5ull+vanag0Ms=; b=Vzu1nXYoq93nxeFPjP6jkNiS0SuTjLHGDv25cWaadgaDrD7BqvY9LnXAmbSUUW1BJb E8i00m4zRoPt4ABwQ5Y1L562wFbKer+BG8iYKgpUqGvI/YOl31bFBotbFoFhzN9ypE+S +96oaYwvI1EZVnM7hIWdm3Y8sIiIu17xp5GEtzI6GxQatz0nMsrEWXtdEt+O0rH07kjW 95SRNi685Ixh3kgd/M+NCmjMGwVuM6Rf3HhLkqRW/CjBGl1Y3LsaOP7Zr6vagbhApakW ymSm99W4oHRTVvGWcDQBQKUzNNvqEyoJjkvRDMLbW9EVvTq3B1C7gWtWHHA/rQtX1z51 gVZA== MIME-Version: 1.0 X-Received: by 10.140.101.244 with SMTP id u107mr5168376qge.107.1396983196224; Tue, 08 Apr 2014 11:53:16 -0700 (PDT) Sender: carpeddiem@gmail.com Received: by 10.140.88.105 with HTTP; Tue, 8 Apr 2014 11:53:16 -0700 (PDT) In-Reply-To: References: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa> Date: Tue, 8 Apr 2014 14:53:16 -0400 X-Google-Sender-Auth: iGMFZ_snok706eRc2Wk_7HAsEvA Message-ID: Subject: Re: FreeBSD's heartbleed response From: Ed Maste To: Nathan Dorfman Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 18:53:17 -0000 On 8 April 2014 14:45, Nathan Dorfman wrote: > Are you sure about that? The only email I saw stated that FreeBSD 8.x > and 9.x weren't vulnerable because they were using an older OpenSSL, > from before the vulnerability was introduced. That is correct. > FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable > OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in > the Makefile there. So I may well be missing something, but it looks > vulnerable at first glance. Also correct. I see that the fixes were committed a few minutes ago: FreeBSD current: r2642675 http://svnweb.freebsd.org/base?view=revision&revision=264265 FreeBSD stable/10: r2642676 http://svnweb.freebsd.org/base?view=revision&revision=264266 FreeBSD 10.0: r264267 http://svnweb.freebsd.org/base?view=revision&revision=264267