If you do not have the skill to deal with a missing export in a DLL, you do not have the skill to be working with security code.
> The problem is not that the release was made, the problem is that > it was improperly labelled. By not saying that it was beta-quality, > people were misled. There is a significant portion of the community > that either doesn't have the skill or the inclination to deal with > beta-quality software. > > The intent of not labelling the e, f, and g releases as beta was to > have them widely distributed. However the opposite effect is > happening as people will now be suspicious of the quality and will > simply wait to see how things shake out. > > --- Jeffrey Altman <[EMAIL PROTECTED]> wrote: > > > At 09:40 AM 8/9/2002 -0400, Gregg Andrew writeth: > > > >OK so is version 0.9.6e that I just compiled with Apache-2.0.39 any good? > > > It was my understanding that all known security issues were addressed and > > > fixed in 0.9.6e version, is this still true? I'm running on Solaris 8. > > > >Thanks > > > >Gregg Andrew > > > > > > I'm just going to wait for them to get their act together and release an > > > official _STABLE_ release before I go and get the "latest and greatest." > > > Sure there might be some issues in the current stable version, but from > > > what I'm seeing, they are putting out fixes without testing every platform. > > > Given that the Windows platform is barely supported by the OpenSSL > > > community, it is insane to constantly try the new updates only to find they > > > don't compile or something else is wrong with them. > > > > > > Hope this helps! > > > > Actually it doesn't. The OpenSSL team is not capable of testing by > > themselves all of the platforms on which their code is used. That > > requires the help of the user community. Unfortunately, when they are > > trying to get out an emergency fix to close a security hole that can > > be used to compromise the integrity of any application or service that > > uses OpenSSL on any operating system it is a bit hard to have a two > > week public beta test. > > > > The OpenSSL team did what they felt was necessary and get a series of > > patches out for all versions of OpenSSL going back at least five years > > that when applied would alter the result of potential attacks by > > turning attacks into a denial of service rather than a system > > compromise. Granted, the applied patches did not work on some systems > > when used with shared libraries (Windows, VMS) but the greater > > community responded within several hours with: > > > > . a fix to the exports to allow the fix to be built on Windows > > > > . an analysis of the denial of service problem outlining the path > > to removing it entirely while still closing the security holes > > > > . a series of patches that removed the denial of service attack > > > > these were then integrated into OpenSSL snapshots the next day. These > > were released yesterday with several more fixes as 0.9.6f. Because it > > is addressing a pressing security concern there was no public beta and > > it was deemed necessary to get the build out right away before more > > companies shipped products incorporating the denial of service. There > > was a minor build problem on some systems, therefore 0.9.6g was > > announced today. > > > > I think the OpenSSL team and the community should be congradulated for > > their response to this problem. I only hope that vendors will be a > > quick to integrate these fixes into their products so as to avoid > > significant use of these holes for destructive purposes. > > > > - Jeff > > > > > > > > > > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! > > The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP > > http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and > > [EMAIL PROTECTED] OpenSSL. > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > __________________________________________________ > Do You Yahoo!? > HotJobs - Search Thousands of New Jobs > http://www.hotjobs.com > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
