From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 13:28:05 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D6F331FB for ; Fri, 11 Apr 2014 13:28:05 +0000 (UTC) Received: from dub0-omc1-s14.dub0.hotmail.com (dub0-omc1-s14.dub0.hotmail.com [157.55.0.213]) by mx1.freebsd.org (Postfix) with ESMTP id 7BCDC1968 for ; Fri, 11 Apr 2014 13:28:05 +0000 (UTC) Received: from DUB126-W77 ([157.55.0.237]) by dub0-omc1-s14.dub0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 11 Apr 2014 06:26:58 -0700 X-TMN: [0dkHKhb8OMslnw3Pt8xtFVONN9I0hp0E] X-Originating-Email: [sbremal@hotmail.com] Message-ID: From: To: Kimmo Paasiala Subject: RE: CVE-2014-0160? Date: Fri, 11 Apr 2014 13:26:58 +0000 Importance: Normal In-Reply-To: References: , , , Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 11 Apr 2014 13:26:58.0671 (UTC) FILETIME=[B7089FF0:01CF5589] Cc: "freebsd-security@freebsd.org" X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2014 13:28:05 -0000 I receive daily email from the host which normally shows port audits and vu= lnerabilities. However=2C I did not sport anything related to CVE-2014-0160= in this email. I expected the same info comes in this email about the base= system as well.=0A= =0A= How do you normally inform about recent vulnerability in the base system? (= I believe newspaper and TV is not the best way...)=0A= =0A= =0A= Cheers=0A= B.=0A= =0A= ----------------------------------------=0A= > Subject: Re: CVE-2014-0160?=0A= > From: kpaasial@icloud.com=0A= > Date: Fri=2C 11 Apr 2014 16:12:36 +0300=0A= > To: sbremal@hotmail.com=0A= > CC: freebsd-security@freebsd.org=0A= >=0A= >=0A= > On 11.4.2014=2C at 15.53=2C sbremal@hotmail.com wrote:=0A= >=0A= >> ext 65281 (renegotiation info=2C length=3D1)=0A= >> ext 00011 (EC point formats=2C length=3D4)=0A= >> ext 00035 (session ticket=2C length=3D0)=0A= >> ext 00015 (heartbeat=2C length=3D1) <-- Your server supports heartbeat. = Bug is possible when linking against OpenSSL 1.0.1f or older. Let me check.= =0A= >> Actively checking if CVE-2014-0160 works: Your server appears to be patc= hed against this bug.=0A= >>=0A= >> K=F6sz! =3B-)=0A= >>=0A= >> Is there any reason why nightly security patches are not enabled by defa= ult in FreeBSD?=0A= >>=0A= >>=0A= >> Cheers=0A= >> B.=0A= >>=0A= >=0A= > Why do you make such claim? The security patches are very much =93enabled= =94 (by using your words) in FreeBSD by default. This assuming that you are= in fact aware of the update methods that are available and how they work. = And for the update methods and how they work there=92s a tremendous amount = of information out there=2C even translated to your native language in some= cases if the language barrier is a problem for you.=0A= >=0A= > -Kimmo=0A= =