From owner-freebsd-security@FreeBSD.ORG  Wed Apr  9 14:44:22 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 999A3C1
 for <freebsd-security@freebsd.org>; Wed,  9 Apr 2014 14:44:22 +0000 (UTC)
Received: from mail.in-addr.com (noop.in-addr.com [208.58.23.51])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 68F901107
 for <freebsd-security@freebsd.org>; Wed,  9 Apr 2014 14:44:22 +0000 (UTC)
Received: from gjp by mail.in-addr.com with local (Exim 4.80.1 (FreeBSD))
 (envelope-from <gpalmer@freebsd.org>)
 id 1WXtfA-00049Z-5s; Wed, 09 Apr 2014 10:39:40 -0400
Date: Wed, 9 Apr 2014 10:39:40 -0400
From: Gary Palmer <gpalmer@freebsd.org>
To: Zoran Kolic <zkolic@sbb.rs>
Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
Message-ID: <20140409143940.GA15884@in-addr.com>
References: <mailman.384.1397005594.1401.freebsd-security@freebsd.org>
 <20140409142136.GA871@faust.sbb.rs>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140409142136.GA871@faust.sbb.rs>
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Mail-From: gpalmer@freebsd.org
X-SA-Exim-Scanned: No (on mail.in-addr.com); SAEximRunCond expanded to false
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Apr 2014 14:44:22 -0000

On Wed, Apr 09, 2014 at 04:21:36PM +0200, Zoran Kolic wrote:
> Advisory claims 10.0 only to be affected. Patches to
> branch 9 are not of importance on the same level?

The version of OpenSSL shipped in the base FreeBSD code prior to 10.0
is not vulnerable to the Heartbeat attack, however there is a different
vulnerability which *is* in 8.x and 9.x and was documented in the advisory
as [CVE-2014-0076]

You should update 8.x and 9.x systems also, even though the vulnerability
there is probably not as easy to exploit as the Heartbeat attack.

Regards,

Gary