From owner-freebsd-stable@FreeBSD.ORG Tue Apr 8 18:00:30 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DCBDF9E0 for ; Tue, 8 Apr 2014 18:00:30 +0000 (UTC) Received: from main.mx.e-gitt.net (service.rules.org [IPv6:2001:1560:2342::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9DC841DAD for ; Tue, 8 Apr 2014 18:00:30 +0000 (UTC) Received: from ob by main.mx.e-gitt.net with local (Exim 4.82 (FreeBSD)) (envelope-from ) id 1WXaJv-0001fT-32 for freebsd-stable@freebsd.org; Tue, 08 Apr 2014 20:00:27 +0200 Date: Tue, 8 Apr 2014 20:00:27 +0200 From: Oliver Brandmueller To: FreeBSD stable Subject: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround? Message-ID: <20140408180026.GC2676@e-Gitt.NET> Mail-Followup-To: FreeBSD stable MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Face: "TT~P'b_)-jKU_0^a=usXryz`YTz)z.[FZrI,A~PREI2U}frrZ`>_J&; ^t|^.dR/mqtC,Vb.Y>~u8(|aL)vAv(k">zY"]*m*y|b8S7:WK[/qP5i>HO#Ek; C[X:b|FP0*Ly_4Ni User-Agent: Mutt/1.5.23 (2014-03-12) Sender: Oliver Brandmueller X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 18:00:30 -0000 Hi, till it's fixed in base (which I hope is very soon) (or you replace openssl in base with the fixed version from ports or patch manually): Would it probably help (with the performance impact in mind) to set malloc option junk:true to lower the risk of leakting information? manpage says: "opt.junk" (bool) r- [--enable-fill] Junk filling enabled/disabled. If enabled, each byte of uninitialized allocated memory will be initialized to 0xa5. All deallocated memory will be initialized to 0x5a. This is intended for debugging and will impact performance negatively. This option is disabled by default unless --enable-debug is specified during configuration, in which case it is enabled by default unless running inside Valgrind[2]. as oppsosed to: "opt.zero" (bool) r- [--enable-fill] Zero filling enabled/disabled. If enabled, each byte of uninitialized allocated memory will be initialized to 0. Note that this initialization only happens once for each byte, so realloc and rallocm calls do not zero memory that was previously allocated. This is intended for debugging and will impact performance negatively. This option is disabled by default. Anyone with better insights could comment on that? - Oliver -- | Oliver Brandmueller http://sysadm.in/ ob@sysadm.in | | Ich bin das Internet. Sowahr ich Gott helfe. |