From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 14:44:22 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 999A3C1 for ; Wed, 9 Apr 2014 14:44:22 +0000 (UTC) Received: from mail.in-addr.com (noop.in-addr.com [208.58.23.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 68F901107 for ; Wed, 9 Apr 2014 14:44:22 +0000 (UTC) Received: from gjp by mail.in-addr.com with local (Exim 4.80.1 (FreeBSD)) (envelope-from ) id 1WXtfA-00049Z-5s; Wed, 09 Apr 2014 10:39:40 -0400 Date: Wed, 9 Apr 2014 10:39:40 -0400 From: Gary Palmer To: Zoran Kolic Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl Message-ID: <20140409143940.GA15884@in-addr.com> References: <20140409142136.GA871@faust.sbb.rs> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20140409142136.GA871@faust.sbb.rs> X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: gpalmer@freebsd.org X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 14:44:22 -0000 On Wed, Apr 09, 2014 at 04:21:36PM +0200, Zoran Kolic wrote: > Advisory claims 10.0 only to be affected. Patches to > branch 9 are not of importance on the same level? The version of OpenSSL shipped in the base FreeBSD code prior to 10.0 is not vulnerable to the Heartbeat attack, however there is a different vulnerability which *is* in 8.x and 9.x and was documented in the advisory as [CVE-2014-0076] You should update 8.x and 9.x systems also, even though the vulnerability there is probably not as easy to exploit as the Heartbeat attack. Regards, Gary