Date: Thu, 10 Apr 2014 15:28:01 -0700 From: Paul Hoffman <paul.hoffman@vpnc.org> To: freebsd-security@freebsd.org Subject: Re: A different proposal Message-ID: <C239A0B5-31C3-4842-97D5-3C048A909028@vpnc.org> In-Reply-To: <CAPxErSVKxXEgBCh0g77193Hz8vTZiUcVTXuMAQyx=Bm=BMcVNg@mail.gmail.com> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ@mail.gmail.com> <C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A@vpnc.org> <CAPxErSVKxXEgBCh0g77193Hz8vTZiUcVTXuMAQyx=Bm=BMcVNg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Apr 10, 2014, at 12:36 PM, ari edelkind <edelkind-list-freebsd-security@episec.com> wrote: > On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote: > >> Quite right. It is reasonable to assume that, given what we now know about >> the memory allocation scheme in OpenSSL, that other bugs exist and will >> only be found by exploits. Thus, it is reasonable to assume that there will >> be future emergencies like Heartbleed related to bugs in OpenSSL. >> > > I'm guessing you read a popular post by Theo de Raadt that's been going > around. Sorry, but OpenBSD's bastardized memory allocation scheme would > not have solved this; OpenSSL's malloc implementation was not to blame > here. I have heard from others, less interested in self-aggrandizement than Theo, that OpenSSL's malloc was significantly to blame. I'm not saying OpenBSD's is better, just that I have heard from multiple sources that OpenSSL malloc-wrapping both hides some bugs and makes them hard to find with automated tools. > Amateurish failure to check the sanity of user-supplied input was to > blame. Yes. > Idiotic, error-prone protocol specifications, written by > non-programmers, were to blame. Not in this case. > OpenSSL's allocator, in this instance, > worked fine -- even if it isn't the optimal choice for all operating > systems. Maybe; I'm certainly not in a position to say either way. > If your reliance on OpenSSL bugs being fixed requires a fix at a rate >> faster than what the FreeBSD community provides, then you should not rely >> on the FreeBSD community. > > > Or just make sure that all of your running services link to the OpenSSL > library built from ports. While i'm not exactly thrilled with the prospect > of waiting a significant amount of time for a vulnerability in the base > distribution to be officially patched, relying on the base system for > something like that is a bit like taking a tank to the racetrack. Updates to ports are inherently slower than patches from the OpenSSL team. My point is not that either ports or distribution are "too slow" for everyone: it is that if you are sure you need something faster than them, there is another option. >> Install OpenSSL on your mission-critical systems from OpenSSL source, not >> from FreeBSD ports or packages. > > > This is a poor idea from a maintenance standpoint. Firstly, the ports > system was updated fairly quickly, ...but not necessarily quick enough for the people complaining about the response speed of the FreeBSD team... > but aside from that, updating an > existing port yourself to download and install the next version is usually > a trivial task. And you get package management for free. Again: the whole point of this thread are people who apparently need more speed, demanding that someone be paid to make things faster for them. --Paul Hoffman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C239A0B5-31C3-4842-97D5-3C048A909028>