Date: Tue, 8 Apr 2014 20:00:27 +0200 From: Oliver Brandmueller <ob@e-Gitt.NET> To: FreeBSD stable <freebsd-stable@freebsd.org> Subject: OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround? Message-ID: <20140408180026.GC2676@e-Gitt.NET>
next in thread | raw e-mail | index | archive | help
Hi,
till it's fixed in base (which I hope is very soon) (or you replace
openssl in base with the fixed version from ports or patch manually):
Would it probably help (with the performance impact in mind) to set
malloc option junk:true to lower the risk of leakting information?
manpage says:
"opt.junk" (bool) r- [--enable-fill]
Junk filling enabled/disabled. If enabled, each byte of
uninitialized allocated memory will be initialized to 0xa5. All
deallocated memory will be initialized to 0x5a. This is intended
for debugging and will impact performance negatively. This option
is disabled by default unless --enable-debug is specified during
configuration, in which case it is enabled by default unless
running inside Valgrind[2].
as oppsosed to:
"opt.zero" (bool) r- [--enable-fill]
Zero filling enabled/disabled. If enabled, each byte of
uninitialized allocated memory will be initialized to 0. Note that
this initialization only happens once for each byte, so realloc and
rallocm calls do not zero memory that was previously allocated.
This is intended for debugging and will impact performance
negatively. This option is disabled by default.
Anyone with better insights could comment on that?
- Oliver
--
| Oliver Brandmueller http://sysadm.in/ ob@sysadm.in |
| Ich bin das Internet. Sowahr ich Gott helfe. |
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140408180026.GC2676>