[Haifux] More information about latest OpenSSL/OpenSSH/OpenVPN vulnerabilities?
eli at billauer.co.il
Wed May 14 15:34:01 MSD 2008
Dotan Cohen wrote:
> Lesson 1: Comment your code when doing something unusual // for openssl
> Lesson 2: Patch upstream // for debian
I would go for
Lesson 0: Do not mess with cryptographic algorithms and code
> Though in the beginning I blamed Debian for this mess, after reading
> that article I'm starting to see the fault as being with the unusual,
> uncommented code in openssl.
Personally, I'm disappointed that such a stupid thing came from Debian.
My general opinion about them used to be that they do The Right Thing
when it comes to making design decisions. Their codefix to suppress
Valgrind warnings is something I would expect from anyone except Debian.
Of course, commenting is good and helps avoiding this, but in crypto
code I suppose every second line would be "don't touch this".
What really beats me, is why the original bug (consuming uninitialized
data) wasn't fixed in the main branch in the first place (which, I
understand, happened at a later stage) rather than in a local patch.
This is a big shame-on-you to Debian.
More information about the Haifux