FreeBSD's heartbleed response
Nathan Dorfman
na at rtfm.net
Tue Apr 8 18:45:41 UTC 2014
Are you sure about that? The only email I saw stated that FreeBSD 8.x
and 9.x weren't vulnerable because they were using an older OpenSSL,
from before the vulnerability was introduced.
FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable
OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in
the Makefile there. So I may well be missing something, but it looks
vulnerable at first glance.
-nd.
On Tue, Apr 8, 2014 at 2:17 PM, Merijn Verstraaten
<merijn at inconsistent.nl> wrote:
> Unless I misunderstood earlier emails, the heartbeat extension os ALREADY
> disabled in base, therefore FreeBSD base isn't vulnerable and the only
> problem is people who installed a newer OpenSSL from ports.
>
> Cheers,
> Merijn
>
>
> ----- Reply message -----
> From: "Nathan Dorfman" <na at rtfm.net>
> To: "Mike Tancsa" <mike at sentex.net>
> Cc: <freebsd-security at freebsd.org>
> Subject: FreeBSD's heartbleed response
> Date: Tue, Apr 8, 2014 20:05
>
> Someone please correct me if I'm wrong, but I think simply adding
> -DOPENSSL_NO_HEARTBEATS to crypto/openssl/Makefile (and recompiling!) is
> sufficient to remove the vulnerability from the base system.
>
> -nd.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list