Proposal

Xin Li delphij at delphij.net
Wed Apr 9 20:20:43 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 04/09/14 13:12, Dag-Erling Smørgrav wrote:
> Nathan Dorfman <na at rtfm.net> writes:
>> Is it implausible to suggest that before embarking on the task
>> of backporting, reviewing, testing and releasing the actual fix,
>> an announcement could have been made immediately with the much
>> simpler workaround of adding -DOPENSSL_NO_HEARTBEATS to the
>> OpenSSL compiler flags?
> 
> No, that's not implausible, although I don't know whether that 
> workaround was known at the time.  It seems obvious in retrospect,
> but may not have been that obvious under pressure.  Was it
> mentioned in the OpenSSL advisory?

The OpenSSL advisory did mentioned it.

I didn't mention the workaround because I had posted our patch (ported
and committed to secteam repo pending review at about 13:00 PDT I
think, which later was revised because another unrelated CVE), and the
workaround also requires recompile.  Moreover, the patch would provide
better protection because it changes the code so NO_CLEAN= won't skip
it in an incremental build, while with -DOPENSSL_NO_HEARTBEATS it's
possible that the user can mistakenly miss the fix.

Cheers,
- -- 
Xin LI <delphij at delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (FreeBSD)

iQIcBAEBCgAGBQJTRauaAAoJEJW2GBstM+nsxtIQAKOcxp0ziuJgrEpCg9yt2q7B
rU6P6xOfVAbdMcNtj0v1XpXPyRrCtK2VHSYEd1BIIWlrYBwSLByeU2hfkYI0+TRS
FGslwuiQVZFgkqfzQjHysAf3gZICa93q8PseHD0zcMb2gLYBqHxQo222dXBjJYY4
kdvK0qBaIy8JtYGyQbyZl9nUku0s642mla8wGPb4cuTi57F2jQk2y1lFz8dZbz3+
tiGqoEk02uJsoTYOryfgaydc4WuZ63g0w8EMIsN+18qNAVigMPgzisG8kpljA/yx
mcNGfqp31BV3cHLEPjjXt7dnXvVbiEkU17ZlMNGJbgnjirfpG5sSWDM3HX1QA2Ih
GYh05a3V+l2ZgpaBhdg22KBYoH7GOc4bPs1tdHzGr1dKwzZpt3JyiR+vpCAmDfwr
RxNeFqmJnsK8VfvmIYqQHlZoDCTnzH60z8ecZG1dy6GiBVge9bqPBDUl9wvBRion
3vR3UMi1Ieby9a73MbffEyboXAGjXIXOTYp8JioqUlutj8VhgXNstDTdBw04w3s0
5lMXA6xI5hseZ/uJukrouVTzGKwZzFWht583An4DIsN4hjc4oF+LyBsFp1DYkRmX
H7WA8wqOuqTW8rVMPLiQzt3vZOTpC98q/xntAaYktAO5lHAFoBwQnO+5xYBrENEK
yJqP4hDtWUvFqQqBXPzi
=fETK
-----END PGP SIGNATURE-----

More information about the freebsd-security mailing list