From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 22:28:38 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AC35E642 for ; Wed, 9 Apr 2014 22:28:38 +0000 (UTC) Received: from mail.lhr1.as41113.net (mail.lhr1.as41113.net [91.208.177.22]) by mx1.freebsd.org (Postfix) with ESMTP id 739A81BB5 for ; Wed, 9 Apr 2014 22:28:37 +0000 (UTC) Received: from [10.79.131.53] (carly.stf.rewt.org.uk [91.208.177.66]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mail.lhr1.as41113.net (Postfix) with ESMTPS id 3g40WM4Y2mz7rBZ for ; Wed, 9 Apr 2014 22:28:31 +0000 (UTC) Message-ID: <5345C98D.7030907@rewt.org.uk> Date: Wed, 09 Apr 2014 23:28:29 +0100 From: Joe Holden User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Proposal References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <86d2gqz2he.fsf@nine.des.no> In-Reply-To: <86d2gqz2he.fsf@nine.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2014 22:28:38 -0000 The problem here is that a workaround wasn't communicated and I suspect a very small number of religous users actually sub to security@ - also bare in mmind that the website wasn't updated until a number of hours after, including rss which I suspect most people use. I am not trying to undermine the required testing here, but a simple binary patch via freebsd-update to disable heartbeats would have done in the interim (who even uses them, or knows about them). IME issues like this need to be patched first, tested later since it covers probably a large portion of the user base. I wll say that the Cloudflare disclosure was entirely irresponsible and an attempt at sly marketing, but someone should have been on this (not discounting Xin Li's quick patch, which basically nobody saw) straight away. If it is a case on lack of resources then as already mentioned, more resource is available if required - although I am unaware of the approval procedures required to publish such a patch. Not trying to start a flame war here but we've been upstaged by CentOS of all things... Cheers, Joe On 09/04/2014 21:12, Dag-Erling Smørgrav wrote: > Nathan Dorfman writes: >> Is it implausible to suggest that before embarking on the task of >> backporting, reviewing, testing and releasing the actual fix, an >> announcement could have been made immediately with the much simpler >> workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler >> flags? > > No, that's not implausible, although I don't know whether that > workaround was known at the time. It seems obvious in retrospect, but > may not have been that obvious under pressure. Was it mentioned in the > OpenSSL advisory? > > If all you wanted to hear was "we're working on it", well, Xin did write > that almost on -security exactly 48 hours ago. > > DES >