Coding Practice [was Re: Serious OpenSSL vulnerability]
Jonathan Ryshpan
jonrysh at pacbell.net
Wed Apr 9 05:35:24 UTC 2014
On Tue, 2014-04-08 at 10:55 +0100, Patrick O'Callaghan wrote:
> https://www.openssl.org/news/secadv_20140407.txt
>
> See also http://heartbleed.com/ and
> http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/
>
> This is potentially very serious and can cause leakage of private keys
> and other information.
>
> The current version of OpenSSL on Fedora (standard repos and Koji) is
> 1.0.1e, which has this vulnerability. An upgrade to 1.0.1g should be
> provided urgently.
There's a front page article in the NY Times about this, first time ever
seen an article there about a technical subject.
It's an interesting question why Net infrastructure code continues to be
written in C, a language that provides no automatic checks for buffer
overflow, which (if I understand right) is the opening for this security
breach, along with so many others. And why is the code run on hardware
that provides no such checks? There have been languages and system that
check for overflow available for 40 years. Why doesn't anyone use them?
jon
More information about the users
mailing list