Date: Wed, 09 Apr 2014 23:28:29 +0100 From: Joe Holden <lists@rewt.org.uk> To: freebsd-security@freebsd.org Subject: Re: Proposal Message-ID: <5345C98D.7030907@rewt.org.uk> In-Reply-To: <86d2gqz2he.fsf@nine.des.no> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <CADgEyUstkxO1i_B9Qsw=K9qT=nrh9evhv8VekMdNKauOQFN6dg@mail.gmail.com> <86d2gqz2he.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
The problem here is that a workaround wasn't communicated and I suspect a very small number of religous users actually sub to security@ - also bare in mmind that the website wasn't updated until a number of hours after, including rss which I suspect most people use. I am not trying to undermine the required testing here, but a simple binary patch via freebsd-update to disable heartbeats would have done in the interim (who even uses them, or knows about them). IME issues like this need to be patched first, tested later since it covers probably a large portion of the user base. I wll say that the Cloudflare disclosure was entirely irresponsible and an attempt at sly marketing, but someone should have been on this (not discounting Xin Li's quick patch, which basically nobody saw) straight away. If it is a case on lack of resources then as already mentioned, more resource is available if required - although I am unaware of the approval procedures required to publish such a patch. Not trying to start a flame war here but we've been upstaged by CentOS of all things... Cheers, Joe On 09/04/2014 21:12, Dag-Erling Smørgrav wrote: > Nathan Dorfman <na@rtfm.net> writes: >> Is it implausible to suggest that before embarking on the task of >> backporting, reviewing, testing and releasing the actual fix, an >> announcement could have been made immediately with the much simpler >> workaround of adding -DOPENSSL_NO_HEARTBEATS to the OpenSSL compiler >> flags? > > No, that's not implausible, although I don't know whether that > workaround was known at the time. It seems obvious in retrospect, but > may not have been that obvious under pressure. Was it mentioned in the > OpenSSL advisory? > > If all you wanted to hear was "we're working on it", well, Xin did write > that almost on -security exactly 48 hours ago. > > DES >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5345C98D.7030907>