From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 19:26:45 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A6989A73 for ; Tue, 8 Apr 2014 19:26:45 +0000 (UTC) Received: from h2.funkthat.com (gate2.funkthat.com [208.87.223.18]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "funkthat.com", Issuer "funkthat.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7F8C11958 for ; Tue, 8 Apr 2014 19:26:45 +0000 (UTC) Received: from h2.funkthat.com (localhost [127.0.0.1]) by h2.funkthat.com (8.14.3/8.14.3) with ESMTP id s38JQdQ4034885 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 8 Apr 2014 12:26:39 -0700 (PDT) (envelope-from jmg@h2.funkthat.com) Received: (from jmg@localhost) by h2.funkthat.com (8.14.3/8.14.3/Submit) id s38JQc3Z034884; Tue, 8 Apr 2014 12:26:38 -0700 (PDT) (envelope-from jmg) Date: Tue, 8 Apr 2014 12:26:38 -0700 From: John-Mark Gurney To: Florent Peterschmitt Subject: Re: FreeBSD's heartbleed response Message-ID: <20140408192638.GA34745@funkthat.com> Mail-Followup-To: Florent Peterschmitt , Mark Boolootian , Chris Nehren , freebsd-security@freebsd.org References: <20140408174210.GA5433@behemoth> <5344427B.3060205@peterschmitt.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5344427B.3060205@peterschmitt.fr> User-Agent: Mutt/1.4.2.3i X-Operating-System: FreeBSD 7.2-RELEASE i386 X-PGP-Fingerprint: 54BA 873B 6515 3F10 9E88 9322 9CB1 8F74 6D3F A396 X-Files: The truth is out there X-URL: http://resnet.uoregon.edu/~gurney_j/ X-Resume: http://resnet.uoregon.edu/~gurney_j/resume.html X-TipJar: bitcoin:13Qmb6AeTgQecazTWph4XasEsP7nGRbAPE X-to-the-FBI-CIA-and-NSA: HI! HOW YA DOIN? can i haz chizburger? X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.2 (h2.funkthat.com [127.0.0.1]); Tue, 08 Apr 2014 12:26:39 -0700 (PDT) Cc: Mark Boolootian , Chris Nehren , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 19:26:45 -0000 Florent Peterschmitt wrote this message on Tue, Apr 08, 2014 at 20:39 +0200: > On 08/04/2014 19:46, Mark Boolootian wrote: > > While it may not be quite what you're looking for, ports contains > > OpenSSL 1.0.1g. > > Why not moving critical parts of the basesystem to ports, that will be > installed at system installation of course? Because we have programs in base that depend upon OpenSSL... so, moving OpenSSL out of base is not really an option, unless you want to remove fetch, hostapd, pkg, and wpa_supplicant from the base system, we are stuck w/ OpenSSL in base... yes, there is pkg there, how are you going to fetch packages to install if you don't have that? btw, all found w/ ldd /usr/bin/* /usr/sbin/* 2>/dev/null | less and searching for libssl... -- John-Mark Gurney Voice: +1 415 225 5579 "All that I will do, has been done, All that I have, has not."