Date: Tue, 8 Apr 2014 14:45:40 -0400 From: Nathan Dorfman <na@rtfm.net> To: Merijn Verstraaten <merijn@inconsistent.nl> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD's heartbleed response Message-ID: <CADgEyUsvvTN-PsBsiT2iZ6i9quBE8WyeiH0NeAGZ%2BHUSB2br4w@mail.gmail.com> In-Reply-To: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa> References: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa>
next in thread | previous in thread | raw e-mail | index | archive | help
Are you sure about that? The only email I saw stated that FreeBSD 8.x and 9.x weren't vulnerable because they were using an older OpenSSL, from before the vulnerability was introduced. FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in the Makefile there. So I may well be missing something, but it looks vulnerable at first glance. -nd. On Tue, Apr 8, 2014 at 2:17 PM, Merijn Verstraaten <merijn@inconsistent.nl> wrote: > Unless I misunderstood earlier emails, the heartbeat extension os ALREADY > disabled in base, therefore FreeBSD base isn't vulnerable and the only > problem is people who installed a newer OpenSSL from ports. > > Cheers, > Merijn > > > ----- Reply message ----- > From: "Nathan Dorfman" <na@rtfm.net> > To: "Mike Tancsa" <mike@sentex.net> > Cc: <freebsd-security@freebsd.org> > Subject: FreeBSD's heartbleed response > Date: Tue, Apr 8, 2014 20:05 > > Someone please correct me if I'm wrong, but I think simply adding > -DOPENSSL_NO_HEARTBEATS to crypto/openssl/Makefile (and recompiling!) is > sufficient to remove the vulnerability from the base system. > > -nd. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADgEyUsvvTN-PsBsiT2iZ6i9quBE8WyeiH0NeAGZ%2BHUSB2br4w>