From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 12:36:50 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26B39586 for ; Wed, 9 Apr 2014 12:36:50 +0000 (UTC) Received: from mail-vc0-x236.google.com (mail-vc0-x236.google.com [IPv6:2607:f8b0:400c:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id DA95C119D for ; Wed, 9 Apr 2014 12:36:49 +0000 (UTC) Received: by mail-vc0-f182.google.com with SMTP id ib6so1953584vcb.41 for ; Wed, 09 Apr 2014 05:36:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=gxfSZI4tY99UQ0XprJvHuhWtL5EJS9JYOLkRroiipkY=; b=PyQjcb71A4Q4MhYOUwtamWHkm1gUp1Gqm5et18ytpdtExTFj0QUhjhQh9ag4RreMjM 0zMTlVPOqsesRWG1JJkr82NB+r/1T+zR5u0W4/ZAsyr45byLpygP+k67UnRJY2az3ZhZ fveA129Te9vZTcYuDRat8cFfKwYrV0+7HECwbEEJzn65OL/R02phFzyILTNFeJRad9N6 u86S9oOVS8g973oKNe9N2RrU7FBb7Dq0bjL/TgH2C2w4+H0y1L07Tf5DI53TVpA2W5fk HPJu/EqoS1jpTfMRGSga5OvGeQP0/ZBuZb7xVn1WUw9PJKod9ir7pDJ76f8X15HPqJv8 tK9g== MIME-Version: 1.0 X-Received: by 10.221.27.8 with SMTP id ro8mr329461vcb.30.1397047008973; Wed, 09 Apr 2014 05:36:48 -0700 (PDT) Received: by 10.221.39.130 with HTTP; Wed, 9 Apr 2014 05:36:48 -0700 (PDT) Date: Wed, 9 Apr 2014 13:36:48 +0100 Message-ID: Subject: Proposal (Was: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl) From: Pawel Biernacki To: freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 12:36:50 -0000 On 9 April 2014 00:34, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-14:06.openssl Security Advi= sory > The FreeBSD Pro= ject > > Topic: OpenSSL multiple vulnerabilities > > Category: contrib > Module: openssl > Announced: 2014-04-08 > Affects: All supported versions of FreeBSD. > Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE) > 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1) > 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE) > 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4) > 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11) > 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE) > 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8) > 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15) > CVE Name: CVE-2014-0076, CVE-2014-0160 > Thank you for finally patching that vulnerability. Many of us, FreeBSD users, are deeply concerned about security. Yesterday we had a very busy day on #FreeBSD on freenode with many people asking why there is no SA and how to mitigate the thread or patch it on their own. I understand that this is voluntary role and you have another (real life) responsibilities that=E2=80=99s why I'd like to propose an idea of (a= t least partially) paid position of Security Officer, because we all need quick and efficient response in cases like that. FreeBSD Community has a good history of paying for work, many of us supported phk@ in 2004, and recently FreeBSD Foundation hired several people to work for all of us. Because I've no idea how Foundation had planned a budget for this year, I don't know if there are any money that can be allocated for that position. If not, maybe Foundation can conduct additional public fundraising for that purpose? --=20 One of God's own prototypes. A high-powered mutant of some kind never even considered for mass production. Too weird to live, and too rare to die= .