On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote: > 24 hours for a fix that doesn't break ABI and is relatively simple (and > proven to be fine by other distros) is horrendous for such a critical > problem. I mentioned this on twitter also, but there wasn't even a headsup > from the SO until the patch went live. >
To give this some additional perspective, it took me approximately 30 minutes to write a working exploit. Everyone makes a big deal out of private keys (which, admittedly, are a big deal), but i was able to collect usernames, passwords, session credentials, back-end single-sign-on credentials (e.g. client tokens), database passwords, and more from affected hosts -- all quite easily. ari _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
