FreeBSD's heartbleed response
Ed Maste
emaste at freebsd.org
Tue Apr 8 18:53:17 UTC 2014
On 8 April 2014 14:45, Nathan Dorfman <na at rtfm.net> wrote:
> Are you sure about that? The only email I saw stated that FreeBSD 8.x
> and 9.x weren't vulnerable because they were using an older OpenSSL,
> from before the vulnerability was introduced.
That is correct.
> FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable
> OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in
> the Makefile there. So I may well be missing something, but it looks
> vulnerable at first glance.
Also correct.
I see that the fixes were committed a few minutes ago:
FreeBSD current: r2642675
http://svnweb.freebsd.org/base?view=revision&revision=264265
FreeBSD stable/10: r2642676
http://svnweb.freebsd.org/base?view=revision&revision=264266
FreeBSD 10.0: r264267
http://svnweb.freebsd.org/base?view=revision&revision=264267
More information about the freebsd-security
mailing list