From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 17:42:21 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21460F96 for ; Tue, 8 Apr 2014 17:42:21 +0000 (UTC) Received: from smtp.pobox.com (b-pb-sasl-quonix.pobox.com [208.72.237.35]) by mx1.freebsd.org (Postfix) with ESMTP id D14A01C27 for ; Tue, 8 Apr 2014 17:42:20 +0000 (UTC) Received: from smtp.pobox.com (unknown [127.0.0.1]) by b-sasl-quonix.pobox.com (Postfix) with ESMTP id DEDE179E5D for ; Tue, 8 Apr 2014 13:42:12 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:mime-version:content-type; s=sasl; bh=CvyjL4 ECO4KnQeW2/xArRCWm6bw=; b=eccpqjxbQo/6upCgoBgEREnmxnvIaYMz2tVAIh IVrx8PvthlYiXb/JZTN00PKZxyRbZYN9Bp86f73kd0WXLZsV8bHjT6DvO2+W5IsI U44YhB+7XzfXh/tRJDXTJyTmBadKueBLEQLXoMUaNUVhhOlseinz2yGMBSkSMrYf J1bqw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:mime-version:content-type; q=dns; s=sasl; b= XJnHmDaNTNZXTnzOApmoyKwGxKHy5kKjm2Eiqi9R7tkrXtkQPmA8mrvWDveeqHI6 6CBo4qx3Z/g+64p30S0WVgP2L6Qwp0RJy3W6vf2Zywg7Mr2/7oP50hEHgsgal98a 0eo6h0ig7R1258WPOkcQEZh5dcRaeSw9gNODbMSF1Ps= Received: from b-pb-sasl-quonix.pobox.com (unknown [127.0.0.1]) by b-sasl-quonix.pobox.com (Postfix) with ESMTP id CF60B79E5A for ; Tue, 8 Apr 2014 13:42:12 -0400 (EDT) Received: from localhost (unknown [76.99.50.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by b-sasl-quonix.pobox.com (Postfix) with ESMTPSA id 8ACD879E59 for ; Tue, 8 Apr 2014 13:42:11 -0400 (EDT) Date: Tue, 8 Apr 2014 13:42:10 -0400 From: Chris Nehren To: freebsd-security@freebsd.org Subject: FreeBSD's heartbleed response Message-ID: <20140408174210.GA5433@behemoth> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Pobox-Relay-ID: 1D424684-BF45-11E3-9916-8D19802839F8-49531120!b-pb-sasl-quonix.pobox.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2014 17:42:21 -0000 --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable First, please let me say that I understand that FreeBSD is a volunteer project. I know that most everyone is using donated time and donated hardware. You'll find some old email addresses of mine in the ports collection, in fact, and it's in the spirit of volunteering that I write today. The Heartbleed vulnerability is probably the highest priority, farthest-reaching vulnerability I've ever seen. Yet nearly a day later, FreeBSD remains unpatched. There are many worried sysadmins and other users in #freebsd and elsewhere wondering what's going on and when their systems will be patched. So far all we have is an unofficial gist on github and some discussion here (which most users don't see) with no further information. More transparency is needed. Given the above, I come with a request to help: how can the userbase at large help with getting these sorts of fixes out more quickly? I and others have hardware and time we'd be glad to donate if it would help resolve these sorts of critical issues more quickly. I'm sorry if I sound impatient. I want to help, but don't know how, so I'm asking here.=20 --=20 Chris Nehren --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQJdBAABAgBHBQJTRDTyQBSAAAAAABUAInBrYS1hZGRyZXNzQGdudXBnLm9yZ2Nu ZWhyZW4rZnJlZWJzZC1zZWN1cml0eUBwb2JveC5jb20ACgkQHo59aFf/oVPwBQ/+ KNZ9XVIq2Yon3T/jHMM+nKJAsaztrkv1uWTj5RNl2a+qUJRkfPoS8bFvF12WTO9B zqlr1faxXPsm6uZ5qFyNYZCzQJJq3QpQpVhK3lgqLLUukJRaVmwPleI0OstkrYmX ZNfdvghFtDM5eYmXaJpbrNFoEF8Akh9jtKXti+LIHdL7A2FIOKJIoEcA5Yo5F4p4 iTW/2qAsj0xWHtTmAwcwZCp5d+b2nsPODUlXPAFvtsb5A6oMx/zcN3gHDgIAfvD6 4zba1YDPKfptzgJQOPxHBC6SI9YVb8H3vS25SAGZF/i0REBfuUXMnkaMdTPWYhoK RazFWBSkBW+/YnjP9qUxZ//uJxiZcUtA89c3x9SxcgjKiwD7uwLdVFxgUfcEma4b LLvtGGep8lPZIpEoM7tFe5QeW0dasgAuRIttYdRbkIq/qs837u9FWPkovEGOAejY fyn10ggqkSZxQnpjKLpuWvMx19JjGqLxlKJQPOeCiKBAOhpq5xX1NTKGM+ayUdwu 7e1zjvKBH1nGETGA+WgbHN3geBBDEMgFzVXUpFqHsZwOT/4aieMK2YhsNycdNTBn Olka6hSnnSI+QpFG2sqfPyjivKiFus4cmroEDIgTVdYKfcAyJXwz8k19eWiVYHYs M4GK3UvNYYqR5CWZ3u93qW2bzwYuPU23wiIbWfVSa4A= =etNK -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--