A different proposal
Paul Hoffman
paul.hoffman at vpnc.org
Thu Apr 10 14:56:42 UTC 2014
On Apr 9, 2014, at 3:46 PM, Pawel Biernacki <pawel.biernacki at gmail.com> wrote:
> Since such situations had happened in the past and are still
> happening, something should be done about them.
Quite right. It is reasonable to assume that, given what we now know about the memory allocation scheme in OpenSSL, that other bugs exist and will only be found by exploits. Thus, it is reasonable to assume that there will be future emergencies like Heartbleed related to bugs in OpenSSL.
If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster than what the FreeBSD community provides, then you should not rely on the FreeBSD community. Install OpenSSL on your mission-critical systems from OpenSSL source, not from FreeBSD ports or packages. The OpenSSL source will always be updated before the FreeBSD community fixes are released.
--Paul Hoffman (who will continue to rely on the FreeBSD community for OpenSSL, and is in fact terribly grateful for the volunteers who did this work as quickly as they did)
More information about the freebsd-security
mailing list