OpenSSL CVE-2014-0160 (openssl) in 10-STABLE workaround?
Oliver Brandmueller
ob at e-Gitt.NET
Tue Apr 8 18:00:30 UTC 2014
Hi,
till it's fixed in base (which I hope is very soon) (or you replace
openssl in base with the fixed version from ports or patch manually):
Would it probably help (with the performance impact in mind) to set
malloc option junk:true to lower the risk of leakting information?
manpage says:
"opt.junk" (bool) r- [--enable-fill]
Junk filling enabled/disabled. If enabled, each byte of
uninitialized allocated memory will be initialized to 0xa5. All
deallocated memory will be initialized to 0x5a. This is intended
for debugging and will impact performance negatively. This option
is disabled by default unless --enable-debug is specified during
configuration, in which case it is enabled by default unless
running inside Valgrind[2].
as oppsosed to:
"opt.zero" (bool) r- [--enable-fill]
Zero filling enabled/disabled. If enabled, each byte of
uninitialized allocated memory will be initialized to 0. Note that
this initialization only happens once for each byte, so realloc and
rallocm calls do not zero memory that was previously allocated.
This is intended for debugging and will impact performance
negatively. This option is disabled by default.
Anyone with better insights could comment on that?
- Oliver
--
| Oliver Brandmueller http://sysadm.in/ ob at sysadm.in |
| Ich bin das Internet. Sowahr ich Gott helfe. |
More information about the freebsd-stable
mailing list