Date: Tue, 8 Apr 2014 14:53:16 -0400 From: Ed Maste <emaste@freebsd.org> To: Nathan Dorfman <na@rtfm.net> Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD's heartbleed response Message-ID: <CAPyFy2BmqKJW6BwBAX1qtJuBa-knJ8yQtNyKU1Sra73iXC-W3w@mail.gmail.com> In-Reply-To: <CADgEyUsvvTN-PsBsiT2iZ6i9quBE8WyeiH0NeAGZ%2BHUSB2br4w@mail.gmail.com> References: <20140408181745.F06A2C007AD@frontend1.nyi.mail.srv.osa> <CADgEyUsvvTN-PsBsiT2iZ6i9quBE8WyeiH0NeAGZ%2BHUSB2br4w@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 8 April 2014 14:45, Nathan Dorfman <na@rtfm.net> wrote: > Are you sure about that? The only email I saw stated that FreeBSD 8.x > and 9.x weren't vulnerable because they were using an older OpenSSL, > from before the vulnerability was introduced. That is correct. > FreeBSD 10-STABLE, on the other hand, seems to use the vulnerable > OpenSSL 1.0.1e, and I didn't immediately see OPENSSL_NO_HEARTBEATS in > the Makefile there. So I may well be missing something, but it looks > vulnerable at first glance. Also correct. I see that the fixes were committed a few minutes ago: FreeBSD current: r2642675 http://svnweb.freebsd.org/base?view=revision&revision=264265 FreeBSD stable/10: r2642676 http://svnweb.freebsd.org/base?view=revision&revision=264266 FreeBSD 10.0: r264267 http://svnweb.freebsd.org/base?view=revision&revision=264267
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPyFy2BmqKJW6BwBAX1qtJuBa-knJ8yQtNyKU1Sra73iXC-W3w>