From owner-freebsd-security@FreeBSD.ORG  Tue Apr  8 18:53:17 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 720086AA
 for <freebsd-security@freebsd.org>; Tue,  8 Apr 2014 18:53:17 +0000 (UTC)
Received: from mail-qa0-x234.google.com (mail-qa0-x234.google.com
 [IPv6:2607:f8b0:400d:c00::234])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 316CE159B
 for <freebsd-security@freebsd.org>; Tue,  8 Apr 2014 18:53:17 +0000 (UTC)
Received: by mail-qa0-f52.google.com with SMTP id dc16so83072qab.11
 for <freebsd-security@freebsd.org>; Tue, 08 Apr 2014 11:53:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:sender:in-reply-to:references:date:message-id:subject
 :from:to:cc:content-type;
 bh=oOQNoWE7tAHHu4wRIJa7UDEPY78HAZ5ull+vanag0Ms=;
 b=Vzu1nXYoq93nxeFPjP6jkNiS0SuTjLHGDv25cWaadgaDrD7BqvY9LnXAmbSUUW1BJb
 E8i00m4zRoPt4ABwQ5Y1L562wFbKer+BG8iYKgpUqGvI/YOl31bFBotbFoFhzN9ypE+S
 +96oaYwvI1EZVnM7hIWdm3Y8sIiIu17xp5GEtzI6GxQatz0nMsrEWXtdEt+O0rH07kjW
 95SRNi685Ixh3kgd/M+NCmjMGwVuM6Rf3HhLkqRW/CjBGl1Y3LsaOP7Zr6vagbhApakW
 ymSm99W4oHRTVvGWcDQBQKUzNNvqEyoJjkvRDMLbW9EVvTq3B1C7gWtWHHA/rQtX1z51
 gVZA==
MIME-Version: 1.0
X-Received: by 10.140.101.244 with SMTP id u107mr5168376qge.107.1396983196224; 
 Tue, 08 Apr 2014 11:53:16 -0700 (PDT)
Sender: carpeddiem@gmail.com
Received: by 10.140.88.105 with HTTP; Tue, 8 Apr 2014 11:53:16 -0700 (PDT)
In-Reply-To: <CADgEyUsvvTN-PsBsiT2iZ6i9quBE8WyeiH0NeAGZ+HUSB2br4w@mail.gmail.com>
References: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa>
 <CADgEyUsvvTN-PsBsiT2iZ6i9quBE8WyeiH0NeAGZ+HUSB2br4w@mail.gmail.com>
Date: Tue, 8 Apr 2014 14:53:16 -0400
X-Google-Sender-Auth: iGMFZ_snok706eRc2Wk_7HAsEvA
Message-ID: <CAPyFy2BmqKJW6BwBAX1qtJuBa-knJ8yQtNyKU1Sra73iXC-W3w@mail.gmail.com>
Subject: Re: FreeBSD's heartbleed response
From: Ed Maste <emaste@freebsd.org>
To: Nathan Dorfman <na@rtfm.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 18:53:17 -0000

On 8 April 2014 14:45, Nathan Dorfman <na@rtfm.net> wrote:
> Are you sure about that? The only email I saw stated that FreeBSD 8.x
> and 9.x weren't vulnerable because they were using an older OpenSSL,
> from before the vulnerability was introduced.

That is correct.

> FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable
> OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in
> the Makefile there. So I may well be missing something, but it looks
> vulnerable at first glance.

Also correct.

I see that the fixes were committed a few minutes ago:

FreeBSD current: r2642675
http://svnweb.freebsd.org/base?view=revision&revision=264265

FreeBSD stable/10: r2642676
http://svnweb.freebsd.org/base?view=revision&revision=264266

FreeBSD 10.0: r264267
http://svnweb.freebsd.org/base?view=revision&revision=264267