Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 507566

Summary: dev-libs/openssl: Disable tls-heartbeat by default
Product: Gentoo Linux Reporter: Hanno Böck <hanno>
Component: [OLD] Core systemAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED DUPLICATE    
Severity: enhancement    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2014-04-13 14:13:03 UTC 
I want to propose that tls-heartbeat gets disabled on openssl by default. I'm not aware of any software using it (if anyone does: drop me a message, I'm very interested). Grepping through the Gentoo tree not a single package depends on openssl[tls-heartbeat].

I think we can conclude that this extension's usage in the real world is either nonexistent or very rare. So I don't see any justification for the +tls-heartbeat. More Extensions mean more attack surface.

Use-flag can stay, but it should only be enabled by people who know why they need it, not by average Gentoo users.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2014-04-13 14:15:51 UTC 

*** This bug has been marked as a duplicate of bug 507130 ***