-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/09/14 13:12, Dag-Erling Smørgrav wrote: > Nathan Dorfman <n...@rtfm.net> writes: >> Is it implausible to suggest that before embarking on the task >> of backporting, reviewing, testing and releasing the actual fix, >> an announcement could have been made immediately with the much >> simpler workaround of adding -DOPENSSL_NO_HEARTBEATS to the >> OpenSSL compiler flags? > > No, that's not implausible, although I don't know whether that > workaround was known at the time. It seems obvious in retrospect, > but may not have been that obvious under pressure. Was it > mentioned in the OpenSSL advisory?
The OpenSSL advisory did mentioned it. I didn't mention the workaround because I had posted our patch (ported and committed to secteam repo pending review at about 13:00 PDT I think, which later was revised because another unrelated CVE), and the workaround also requires recompile. Moreover, the patch would provide better protection because it changes the code so NO_CLEAN= won't skip it in an incremental build, while with -DOPENSSL_NO_HEARTBEATS it's possible that the user can mistakenly miss the fix. Cheers, - -- Xin LI <delp...@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTRauaAAoJEJW2GBstM+nsxtIQAKOcxp0ziuJgrEpCg9yt2q7B rU6P6xOfVAbdMcNtj0v1XpXPyRrCtK2VHSYEd1BIIWlrYBwSLByeU2hfkYI0+TRS FGslwuiQVZFgkqfzQjHysAf3gZICa93q8PseHD0zcMb2gLYBqHxQo222dXBjJYY4 kdvK0qBaIy8JtYGyQbyZl9nUku0s642mla8wGPb4cuTi57F2jQk2y1lFz8dZbz3+ tiGqoEk02uJsoTYOryfgaydc4WuZ63g0w8EMIsN+18qNAVigMPgzisG8kpljA/yx mcNGfqp31BV3cHLEPjjXt7dnXvVbiEkU17ZlMNGJbgnjirfpG5sSWDM3HX1QA2Ih GYh05a3V+l2ZgpaBhdg22KBYoH7GOc4bPs1tdHzGr1dKwzZpt3JyiR+vpCAmDfwr RxNeFqmJnsK8VfvmIYqQHlZoDCTnzH60z8ecZG1dy6GiBVge9bqPBDUl9wvBRion 3vR3UMi1Ieby9a73MbffEyboXAGjXIXOTYp8JioqUlutj8VhgXNstDTdBw04w3s0 5lMXA6xI5hseZ/uJukrouVTzGKwZzFWht583An4DIsN4hjc4oF+LyBsFp1DYkRmX H7WA8wqOuqTW8rVMPLiQzt3vZOTpC98q/xntAaYktAO5lHAFoBwQnO+5xYBrENEK yJqP4hDtWUvFqQqBXPzi =fETK -----END PGP SIGNATURE----- _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
