From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 22:28:06 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 22CF553D for ; Thu, 10 Apr 2014 22:28:06 +0000 (UTC) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id F41B81BE3 for ; Thu, 10 Apr 2014 22:28:05 +0000 (UTC) Received: from [10.20.30.90] (50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175]) (authenticated bits=0) by hoffman.proper.com (8.14.8/8.14.7) with ESMTP id s3AMS3B6023093 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Thu, 10 Apr 2014 15:28:04 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: hoffman.proper.com: Host 50-1-98-175.dsl.dynamic.sonic.net [50.1.98.175] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: A different proposal From: Paul Hoffman In-Reply-To: Date: Thu, 10 Apr 2014 15:28:01 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <867g6y1kfe.fsf@nine.des.no> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1874) X-Mailman-Approved-At: Fri, 11 Apr 2014 01:58:40 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 22:28:06 -0000 On Apr 10, 2014, at 12:36 PM, ari edelkind = wrote: > On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote: >=20 >> Quite right. It is reasonable to assume that, given what we now know = about >> the memory allocation scheme in OpenSSL, that other bugs exist and = will >> only be found by exploits. Thus, it is reasonable to assume that = there will >> be future emergencies like Heartbleed related to bugs in OpenSSL. >>=20 >=20 > I'm guessing you read a popular post by Theo de Raadt that's been = going > around. Sorry, but OpenBSD's bastardized memory allocation scheme = would > not have solved this; OpenSSL's malloc implementation was not to blame > here. =20 I have heard from others, less interested in self-aggrandizement than = Theo, that OpenSSL's malloc was significantly to blame. I'm not saying = OpenBSD's is better, just that I have heard from multiple sources that = OpenSSL malloc-wrapping both hides some bugs and makes them hard to find = with automated tools. > Amateurish failure to check the sanity of user-supplied input was to > blame. =20 Yes. > Idiotic, error-prone protocol specifications, written by > non-programmers, were to blame. =20 Not in this case. > OpenSSL's allocator, in this instance, > worked fine -- even if it isn't the optimal choice for all operating > systems. Maybe; I'm certainly not in a position to say either way. > If your reliance on OpenSSL bugs being fixed requires a fix at a rate >> faster than what the FreeBSD community provides, then you should not = rely >> on the FreeBSD community. >=20 >=20 > Or just make sure that all of your running services link to the = OpenSSL > library built from ports. While i'm not exactly thrilled with the = prospect > of waiting a significant amount of time for a vulnerability in the = base > distribution to be officially patched, relying on the base system for > something like that is a bit like taking a tank to the racetrack. Updates to ports are inherently slower than patches from the OpenSSL = team. My point is not that either ports or distribution are "too slow" = for everyone: it is that if you are sure you need something faster than = them, there is another option. >> Install OpenSSL on your mission-critical systems from OpenSSL source, = not >> from FreeBSD ports or packages. >=20 >=20 > This is a poor idea from a maintenance standpoint. Firstly, the ports > system was updated fairly quickly, ...but not necessarily quick enough for the people complaining about the = response speed of the FreeBSD team... > but aside from that, updating an > existing port yourself to download and install the next version is = usually > a trivial task. And you get package management for free. Again: the whole point of this thread are people who apparently need = more speed, demanding that someone be paid to make things faster for = them. --Paul Hoffman=