Date: Thu, 10 Apr 2014 15:36:48 -0400 From: ari edelkind <edelkind-list-freebsd-security@episec.com> To: freebsd-security@freebsd.org Subject: Re: A different proposal Message-ID: <CAPxErSVKxXEgBCh0g77193Hz8vTZiUcVTXuMAQyx=Bm=BMcVNg@mail.gmail.com> In-Reply-To: <C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A@vpnc.org> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> <CAA3htvv_DePi_A-UjtG0hvybfRSE8KgvSjq5m3yM0FGX9%2BL6QQ@mail.gmail.com> <C8D2649E-4BD0-4124-9915-CCE1DCCB1A6A@vpnc.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote: > Quite right. It is reasonable to assume that, given what we now know about > the memory allocation scheme in OpenSSL, that other bugs exist and will > only be found by exploits. Thus, it is reasonable to assume that there will > be future emergencies like Heartbleed related to bugs in OpenSSL. > I'm guessing you read a popular post by Theo de Raadt that's been going around. Sorry, but OpenBSD's bastardized memory allocation scheme would not have solved this; OpenSSL's malloc implementation was not to blame here. Amateurish failure to check the sanity of user-supplied input was to blame. Idiotic, error-prone protocol specifications, written by non-programmers, were to blame. OpenSSL's allocator, in this instance, worked fine -- even if it isn't the optimal choice for all operating systems. If your reliance on OpenSSL bugs being fixed requires a fix at a rate > faster than what the FreeBSD community provides, then you should not rely > on the FreeBSD community. Or just make sure that all of your running services link to the OpenSSL library built from ports. While i'm not exactly thrilled with the prospect of waiting a significant amount of time for a vulnerability in the base distribution to be officially patched, relying on the base system for something like that is a bit like taking a tank to the racetrack. > Install OpenSSL on your mission-critical systems from OpenSSL source, not > from FreeBSD ports or packages. This is a poor idea from a maintenance standpoint. Firstly, the ports system was updated fairly quickly, but aside from that, updating an existing port yourself to download and install the next version is usually a trivial task. And you get package management for free. ari
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPxErSVKxXEgBCh0g77193Hz8vTZiUcVTXuMAQyx=Bm=BMcVNg>