A different proposal
Nathan Dorfman
na at rtfm.net
Thu Apr 10 19:34:56 UTC 2014
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman <paul.hoffman at vpnc.org> wrote:
> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster than what the FreeBSD community provides, then you should not rely on the FreeBSD community. Install OpenSSL on your mission-critical systems from OpenSSL source, not from FreeBSD ports or packages.
I really don't think one needs to go this far. The workaround provided
in the original OpenSSL advisory, recompiling with
-DOPENSSL_NO_HEARTBEATS, was directly applicable to FreeBSD. For
anyone unsure exactly where to effect that option, it was discussed on
this very list. Also posted on this list was a working patch
containing the actual fix, on Monday afternoon.
So yes, if you want a fully tested, reviewed and supported fix, you
had to wait, but anyone in desperate need of an immediate fix had
options that didn't involve ditching FreeBSD's OpenSSL.
-nd.
More information about the freebsd-security
mailing list