Hi, A few things led me to question whether it is safe for OpenSSL to enable so many features. The heartbeat extension was not likely being used by anyone for its stated legitimate purpose. I've yet to use/need DTLS. I wondered if we could have had something along the lines of an openssl-heavy and openssl-light.
But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL 1.0.1g. It's now using native malloc/free instead of its own allocator which allowed the Heartbleed bug to happen. From doing that, Ted Unangst found the cause of the bug now known as CVE-2010-5298. And obsolete code such as for SSLv2 or portability with ancient systems is being ripped out. I wonder if this might result in an alternate SSL/TLS library we could use in Debian? The effort curiously has its own fanpage in the style of the vulnerability that triggered it: http://opensslrampage.org Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/53540cf1.5000...@pyro.eu.org
