Paul Hoffman <[email protected]> wrote: > Yes, that is a reasonable expectation. I certainly had it in my head when I > rebuilt Sendmail+TLS after heartbleed, but I didn't think of checking it.
Been there :-) Fortunately, sendmail 'does the right thing'! > It would be good to add such options to as many ports as possible if it can > be done cleanly. This is more for ports@ than security@, but isn't mixing of 2 different versions potentially problematic? I have noticed one port that links against base, but uses libcurl which links against ports, so there is a version conflict there right away. I'd expect that some magic would need to be done in the bsd.ports.Mk files, as you can't necessarily tell from just scanning the port template. > Also, note that this is not bashing on OpenSSL: given their new significant > funding, I would certainly expect the OpenSSL project to be > finding-and-fixing Heartbleed-level bugs repeatedly in the coming years. It > is basically impossible to fix such a bug without bad actors being able to > determine and exploit some of the fixes in unpatched systems. Ditto. My concern is more general, and aligned to the POLA principle! Cheers, Jamie _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
