From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 20:20:43 2014 Return-Path: <owner-freebsd-security@FreeBSD.ORG> Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BB048C84 for <freebsd-security@freebsd.org>; Wed, 9 Apr 2014 20:20:43 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "anubis.delphij.net", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E1161A7C for <freebsd-security@freebsd.org>; Wed, 9 Apr 2014 20:20:43 +0000 (UTC) Received: from zeta.ixsystems.com (unknown [69.198.165.132]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by anubis.delphij.net (Postfix) with ESMTPSA id BD06F75CC; Wed, 9 Apr 2014 13:20:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=delphij.net; s=anubis; t=1397074843; bh=MnrEK9RRh0nQlnbm3BKH6tG3FR6/uMpV3+OIbIc2S/8=; h=Date:From:Reply-To:To:CC:Subject:References:In-Reply-To; b=P6T0E/yz6wLVTE9BC02lA5Tb+pMHB8/0W0C5wPozsfO3cg7IsQmswNJ40SqIfX/hd CBSEXjBDZD4WNSAvip9C7EP80nVsv70cQrVx3z0tRJVVu+TRDQtxKUlyubFHBeWwOL mFZoWuAE4B/hwCxmDt+Xyn5vB+tLTds2+5Nk6fKo= Message-ID: <5345AB9A.8040001@delphij.net> Date: Wed, 09 Apr 2014 13:20:42 -0700 From: Xin Li <delphij@delphij.net> Organization: The FreeBSD Project MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= <des@des.no>, Nathan Dorfman <na@rtfm.net> Subject: Re: Proposal References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <CADgEyUstkxO1i_B9Qsw=K9qT=nrh9evhv8VekMdNKauOQFN6dg@mail.gmail.com> <86d2gqz2he.fsf@nine.des.no> In-Reply-To: <86d2gqz2he.fsf@nine.des.no> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, Walter Hop <freebsd@spam.lifeforms.nl>, Kimmo Paasiala <kpaasial@icloud.com>, Pawel Biernacki <pawel.biernacki@gmail.com> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" <freebsd-security.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/> List-Post: <mailto:freebsd-security@freebsd.org> List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, <mailto:freebsd-security-request@freebsd.org?subject=subscribe> X-List-Received-Date: Wed, 09 Apr 2014 20:20:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/09/14 13:12, Dag-Erling Smørgrav wrote: > Nathan Dorfman <na@rtfm.net> writes: >> Is it implausible to suggest that before embarking on the task >> of backporting, reviewing, testing and releasing the actual fix, >> an announcement could have been made immediately with the much >> simpler workaround of adding -DOPENSSL_NO_HEARTBEATS to the >> OpenSSL compiler flags? > > No, that's not implausible, although I don't know whether that > workaround was known at the time. It seems obvious in retrospect, > but may not have been that obvious under pressure. Was it > mentioned in the OpenSSL advisory? The OpenSSL advisory did mentioned it. I didn't mention the workaround because I had posted our patch (ported and committed to secteam repo pending review at about 13:00 PDT I think, which later was revised because another unrelated CVE), and the workaround also requires recompile. Moreover, the patch would provide better protection because it changes the code so NO_CLEAN= won't skip it in an incremental build, while with -DOPENSSL_NO_HEARTBEATS it's possible that the user can mistakenly miss the fix. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTRauaAAoJEJW2GBstM+nsxtIQAKOcxp0ziuJgrEpCg9yt2q7B rU6P6xOfVAbdMcNtj0v1XpXPyRrCtK2VHSYEd1BIIWlrYBwSLByeU2hfkYI0+TRS FGslwuiQVZFgkqfzQjHysAf3gZICa93q8PseHD0zcMb2gLYBqHxQo222dXBjJYY4 kdvK0qBaIy8JtYGyQbyZl9nUku0s642mla8wGPb4cuTi57F2jQk2y1lFz8dZbz3+ tiGqoEk02uJsoTYOryfgaydc4WuZ63g0w8EMIsN+18qNAVigMPgzisG8kpljA/yx mcNGfqp31BV3cHLEPjjXt7dnXvVbiEkU17ZlMNGJbgnjirfpG5sSWDM3HX1QA2Ih GYh05a3V+l2ZgpaBhdg22KBYoH7GOc4bPs1tdHzGr1dKwzZpt3JyiR+vpCAmDfwr RxNeFqmJnsK8VfvmIYqQHlZoDCTnzH60z8ecZG1dy6GiBVge9bqPBDUl9wvBRion 3vR3UMi1Ieby9a73MbffEyboXAGjXIXOTYp8JioqUlutj8VhgXNstDTdBw04w3s0 5lMXA6xI5hseZ/uJukrouVTzGKwZzFWht583An4DIsN4hjc4oF+LyBsFp1DYkRmX H7WA8wqOuqTW8rVMPLiQzt3vZOTpC98q/xntAaYktAO5lHAFoBwQnO+5xYBrENEK yJqP4hDtWUvFqQqBXPzi =fETK -----END PGP SIGNATURE-----