[Haifux] More information about latest OpenSSL/OpenSSH/OpenVPN vulnerabilities?

Eli Billauer eli at billauer.co.il
Wed May 14 15:34:01 MSD 2008

Dotan Cohen wrote:

> Lesson 1: Comment your code when doing something unusual  // for openssl
> Lesson 2: Patch upstream  // for debian
I would go for

Lesson 0: Do not mess with cryptographic algorithms and code
> Though in the beginning I blamed Debian for this mess, after reading
> that article I'm starting to see the fault as being with the unusual,
> uncommented code in openssl.
Personally, I'm disappointed that such a stupid thing came from Debian. 
My general opinion about them used to be that they do The Right Thing 
when it comes to making design decisions. Their codefix to suppress 
Valgrind warnings is something I would expect from anyone except Debian.

Of course, commenting is good and helps avoiding this, but in crypto 
code I suppose every second line would be "don't touch this".

What really beats me, is why the original bug (consuming uninitialized 
data) wasn't fixed in the main branch in the first place (which, I 
understand, happened at a later stage) rather than in a local patch.

This is a big shame-on-you to Debian.


More information about the Haifux mailing list