From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 19:37:15 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4FA5FF80 for ; Thu, 10 Apr 2014 19:37:15 +0000 (UTC) Received: from mail-qc0-f182.google.com (mail-qc0-f182.google.com [209.85.216.182]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0AB3D1AD7 for ; Thu, 10 Apr 2014 19:37:14 +0000 (UTC) Received: by mail-qc0-f182.google.com with SMTP id e16so4952900qcx.13 for ; Thu, 10 Apr 2014 12:37:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:content-type; bh=P3Vw2S8zc1Kk/byhbttwnX58INAkoH/XfwtBRbhhL7A=; b=SGECfbbHEKqTwHR39rd2rt+BZ3HlTb/jCinEuEXB3W4xWXGIXImrppEMNMPtmmX6jX D6F1ubi5trlhZsRxP/ikGeXPaUW5Hqp9FVLC+1e20Kxdks//XCMF3h64Uk231/Yta8b/ SyFMltfcgM0clQci3vTDTW7UDwMy5Dh5IcKUEsas6kGqeySwzq5Wz8ON1og8UNKOwxg5 wsfuNiY9jY7ZszFgpNzSP/m1K3VCt1w/+we7gFMXM9yQQ2biBm1b2EXJs2TK1j90EEPa /oW5hbwo64IjMn4mFqJA3cfbPwf+31LVd8RI7kgZ2p7/HHzRKcy30CDuYWsNnG8m4lRx 4hSA== X-Gm-Message-State: ALoCoQl1hh99g6W/HLAU6wXviyA3ThKD3yNmxA3GaANzoL8WOVKvC5gf/CmRo3khK+swcYeuotfY X-Received: by 10.224.92.134 with SMTP id r6mr23593572qam.82.1397158628533; Thu, 10 Apr 2014 12:37:08 -0700 (PDT) MIME-Version: 1.0 Sender: edelkind@episec.com Received: by 10.140.92.167 with HTTP; Thu, 10 Apr 2014 12:36:48 -0700 (PDT) X-Originating-IP: [207.237.190.18] In-Reply-To: References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> From: ari edelkind Date: Thu, 10 Apr 2014 15:36:48 -0400 X-Google-Sender-Auth: NafLbuoFAbAOydSmfMgQNrlH2x0 Message-ID: Subject: Re: A different proposal To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 19:37:15 -0000 On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote: > Quite right. It is reasonable to assume that, given what we now know about > the memory allocation scheme in OpenSSL, that other bugs exist and will > only be found by exploits. Thus, it is reasonable to assume that there will > be future emergencies like Heartbleed related to bugs in OpenSSL. > I'm guessing you read a popular post by Theo de Raadt that's been going around. Sorry, but OpenBSD's bastardized memory allocation scheme would not have solved this; OpenSSL's malloc implementation was not to blame here. Amateurish failure to check the sanity of user-supplied input was to blame. Idiotic, error-prone protocol specifications, written by non-programmers, were to blame. OpenSSL's allocator, in this instance, worked fine -- even if it isn't the optimal choice for all operating systems. If your reliance on OpenSSL bugs being fixed requires a fix at a rate > faster than what the FreeBSD community provides, then you should not rely > on the FreeBSD community. Or just make sure that all of your running services link to the OpenSSL library built from ports. While i'm not exactly thrilled with the prospect of waiting a significant amount of time for a vulnerability in the base distribution to be officially patched, relying on the base system for something like that is a bit like taking a tank to the racetrack. > Install OpenSSL on your mission-critical systems from OpenSSL source, not > from FreeBSD ports or packages. This is a poor idea from a maintenance standpoint. Firstly, the ports system was updated fairly quickly, but aside from that, updating an existing port yourself to download and install the next version is usually a trivial task. And you get package management for free. ari