From owner-freebsd-stable@FreeBSD.ORG Thu Apr 10 06:44:49 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC30A49D for ; Thu, 10 Apr 2014 06:44:49 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 8B4381989 for ; Thu, 10 Apr 2014 06:44:49 +0000 (UTC) Received: from delphij-macbook.local (c-24-5-244-32.hsd1.ca.comcast.net [24.5.244.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id B8F3E7270; Wed, 9 Apr 2014 23:44:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1397112288; bh=Fxl2rH0VFh1zhAHYhiCy/PLb8jZ6d3pKp9oKiYJzfes=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=q47OYzohqfPGbmdMnY6aM1gwgS4/iFhW2+tJ0Fc+XyMvY3bTKEGb8wi9Up7s5FNAz e/OW5CxlbZ1GQCDmt/p4zVIKf47nzG2WAlFEzEgTcBnezyGp6fmJE4QrkWtLO3YIjc bM4CKkc1QSY2AQPU/ARUp0vpGNRnXDiuMtbAElQI= Message-ID: <53463DDF.2020602@delphij.net> Date: Wed, 09 Apr 2014 23:44:47 -0700 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Jon Boley , freebsd-stable@freebsd.org Subject: Re: FreeBSD, VPS and Heartbleed References: <5346330B.1020203@airsltd.com> In-Reply-To: <5346330B.1020203@airsltd.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 06:44:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 4/9/14, 10:58 PM, Jon Boley wrote: > Hello, > > I'm running 9.2 and my openssl is a safe version. > > However, I do have a VPS running 9.2 and wonder if I should be > concerned about the system that is providing me with the VPS. I can't speak for anything that the VPS provider is running. However, the worst case scenario when a process is linked with vulnerable version of OpenSSL is that data in *that* process's virtual memory address space could be leaked. As long as your VPS provider can make sure that there is no memory pages being shared between virtual hosts and as long as you are not using anything vulnerable, you should NOT be affected by the issue. However, keep in mind that if your VPS provider runs vulnerable OpenSSL versions that are used in their e.g. login system, and you have logged in (thus your credential data are in memory), then there is possibility that these sensitive data may be used in an attack. Also, should there be any vulnerability found in the hypervisor your VPS provider is running that would allow stealing memory contents from your virtual system, you may also at risk, but this is not related to the OpenSSL issue and there is few things you can do with that other than asking the VPS provider to apply security patches in timely manner. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJTRj3fAAoJEJW2GBstM+nsvPgP/04QKY8fHGtcIBWjCGtzEWzq 4Vot9t7tGdGblWa70tKwSUICTsRH6kAZVqaXZ8d9w0lniMgLCTRcqaPp9wLV6mW+ yaQ9GpcpiOgaPi5PVpsf1IpMwHdEqkQgC2ru0RQzSlxU13koxP4ia5cWz9i49k9t DX25PXETE6gxKalLJLRlE9d20MNcv/8vi+OlhwmRyW3xt1LrbS0gbPofEkv0qtyT 54vB+hNOqBd8rHWLRDS9i3+Iqz1uLY06LCbrHsXwUvc3fXcrOukyEovcL7tLo7bm V1sJaRQj6lSG4+eZ37+l4NNXvp55FxZWiVbovONY1cmeX3Ri5UKBl5fTa7y8ZGkY dzMkddpOaSz60MR5zNpXmXNrq28AExT5kzJLeoPogaFjMAY2x3Rk/TIdw/wA2FHH paCR7ufiq2qWe9Fpt4yUeUF6dUWvNLpSPZ7aRWG1jesFeFHuY/teQaUYyivGRK0z 4YLCQql3Xk4XdGbJHq66KRmrlyXxXS/v4TBrytTUaVFvGOpER67ZPpnF7lxCkib1 bquRJfstG6Bqnn5ieKPE/uVx8iPk24Tr0GtDCGHfG0j0xSGE6/oC1wBf/VNruAxI e2aImxPg/S9JTpp7Fc2xiwQHoU6rI+MGkouQ0a8lEyD3St4qo7pMiqBM/BiFILCv FG1WzifX1QqUiQcc4Juo =X0VX -----END PGP SIGNATURE-----