<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Sat, Apr 26, 2014 at 2:20 PM, Sorana Fraier <span dir="ltr"><<a href="mailto:sf10095@gmail.com" target="_blank">sf10095@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>There is now a fork by openbsd people for openssl. It's called libressl. <br><br><a href="http://www.libressl.org/" target="_blank">http://www.libressl.org/</a><br>
</div></div></blockquote><div><br></div><div>Why a fork ?!<br></div><div>There are bugs, some of them are set to be security risks, but you can never avoid bugs.<br></div><div>And when C and C++ are your main programming language, the number of bugs raises, due to so many reasons such as:<br>
</div><div>1. memory management (with all of it's issues)<br></div><div>2. In-proper data input <br></div><div>3. hard code to read and understand<br><br></div><div>etc... <br><br></div><div>I do think that the heartbleed issue was anything else but a bug, and rewriting code will not make things less vulnerable for the next big bug that might exists.<br>
<br></div><div>So why do they fork it ?!<br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><br></div>They crave for more people to help. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Tue, Apr 15, 2014 at 5:57 AM, Michael Vasiliev <span dir="ltr"><<a href="mailto:lists@infoscav.net" target="_blank">lists@infoscav.net</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5">
<div style="direction:ltr" bgcolor="#FFFFFF" text="#000000">
<div>If any of you guys and gals think this
isn's serious, think twice. The CloudFlare SSL Heartbleed
challenge site's SSL key was stolen within hours of being
announced. There is a wave of security compromises all over the
world and sane CAs are offering free renewals of SSL certificates.<div><br>
<br>
On 04/11/2014 08:35 AM, Eli Billauer wrote:<br>
</div></div><div>
<blockquote type="cite">
<pre>Hi all,
I suppose that the security freaks already know about this, and still,
this seems important enough for an alert.
In a nutshell, a bug in the mechanism that allows keepalive messages to
be sent to maintain an SSL link, also allows, accidentally, a remote
attacker to read a segment of up to 64 kBytes from the server's memory.
It's doesn't give access to any chunk of 64 kBytes, but it's a segment
which is likely to be dirty with data that belongs to the process
running openSSL. So there's a chance that data related to private keys
and passwords is revealed this way.
See <a href="http://en.wikipedia.org/wiki/Heartbleed" target="_blank">http://en.wikipedia.org/wiki/Heartbleed</a>
I haven't found any tool checking a local SSH server, say as source code
in C. I suppose it's being avoided for the sake of not supplying the
almost-finished attack to script kiddies.
Hag Sameah,
Eli
</pre>
</blockquote>
<br>
</div></div>
<br></div></div><div class="">_______________________________________________<br>
Haifux mailing list<br>
<a href="mailto:Haifux@haifux.org" target="_blank">Haifux@haifux.org</a><br>
<a href="http://haifux.org/mailman/listinfo/haifux" target="_blank">http://haifux.org/mailman/listinfo/haifux</a><br>
<br></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Haifux mailing list<br>
<a href="mailto:Haifux@haifux.org">Haifux@haifux.org</a><br>
<a href="http://haifux.org/mailman/listinfo/haifux" target="_blank">http://haifux.org/mailman/listinfo/haifux</a><br>
<br></blockquote></div><br></div></div>