From owner-freebsd-security@FreeBSD.ORG  Thu Apr 10 14:56:42 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 610595A9
 for <freebsd-security@freebsd.org>; Thu, 10 Apr 2014 14:56:42 +0000 (UTC)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM
 [IPv6:2605:8e00:100:41::81])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 35CF81BEB
 for <freebsd-security@freebsd.org>; Thu, 10 Apr 2014 14:56:42 +0000 (UTC)
Received: from [10.20.30.90] (50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175])
 (authenticated bits=0)
 by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s3AEucJN007387
 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO);
 Thu, 10 Apr 2014 07:56:40 -0700 (MST)
 (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host
 50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175] claimed to be [10.20.30.90]
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: A different proposal
From: Paul Hoffman <paul.hoffman@vpnc.org>
In-Reply-To: <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9+L6QQ@mail.gmail.com>
Date: Thu, 10 Apr 2014 07:56:37 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A@vpnc.org>
References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com>
 <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl>
 <867g6y1kfe.fsf@nine.des.no>
 <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9+L6QQ@mail.gmail.com>
To: freebsd-security@freebsd.org
X-Mailer: Apple Mail (2.1874)
X-Mailman-Approved-At: Thu, 10 Apr 2014 15:29:36 +0000
Cc: Pawel Biernacki <pawel.biernacki@gmail.com>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 14:56:42 -0000

On Apr 9, 2014, at 3:46 PM, Pawel Biernacki <pawel.biernacki@gmail.com> =
wrote:

> Since such situations had happened in the past and are still
> happening, something should be done about them.

Quite right. It is reasonable to assume that, given what we now know =
about the memory allocation scheme in OpenSSL, that other bugs exist and =
will only be found by exploits. Thus, it is reasonable to assume that =
there will be future emergencies like Heartbleed related to bugs in =
OpenSSL.

If your reliance on OpenSSL bugs being fixed requires a fix at a rate =
faster than what the FreeBSD community provides, then you should not =
rely on the FreeBSD community. Install OpenSSL on your mission-critical =
systems from OpenSSL source, not from FreeBSD ports or packages. The =
OpenSSL source will always be updated before the FreeBSD community fixes =
are released.

--Paul Hoffman (who will continue to rely on the FreeBSD community for =
OpenSSL, and is in fact terribly grateful for the volunteers who did =
this work as quickly as they did)=