OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround?

[Oliver Brandmueller]

Hi,

till it's fixed in base (which I hope is very soon) (or you replace 
openssl in base with the fixed version from ports or patch manually):

Would it probably help (with the performance impact in mind) to set 
malloc option junk:true to lower the risk of leakting information?

manpage says:

       "opt.junk" (bool) r- [--enable-fill]
           Junk filling enabled/disabled. If enabled, each byte of
           uninitialized allocated memory will be initialized to 0xa5. All
           deallocated memory will be initialized to 0x5a. This is intended
           for debugging and will impact performance negatively. This option
           is disabled by default unless --enable-debug is specified during
           configuration, in which case it is enabled by default unless
           running inside Valgrind[2].

as oppsosed to:

       "opt.zero" (bool) r- [--enable-fill]
           Zero filling enabled/disabled. If enabled, each byte of
           uninitialized allocated memory will be initialized to 0. Note that
           this initialization only happens once for each byte, so realloc and
           rallocm calls do not zero memory that was previously allocated.
           This is intended for debugging and will impact performance
           negatively. This option is disabled by default.


Anyone with better insights could comment on that?

- Oliver


-- 
| Oliver Brandmueller          http://sysadm.in/         ob at sysadm.in |
|                        Ich bin das Internet. Sowahr ich Gott helfe. |