On Thu, Apr 10, 2014 at 6:28 PM, Paul Hoffman wrote:
> I have heard from others, less interested in self-aggrandizement than
> Theo, that OpenSSL's malloc was significantly to blame.
>
OpenSSL's simplistic malloc implementation exacerbated the information
exposure in this case, so you might well
On Apr 10, 2014, at 12:36 PM, ari edelkind
wrote:
> On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
>
>> Quite right. It is reasonable to assume that, given what we now know about
>> the memory allocation scheme in OpenSSL, that other bugs exist and will
>> only be found by exploits. Thus
as proposing that you switch at your own speed before the next emergency. And
I'm not proposing that's the best thing to do: I'm certainly not going to, I'm
quite happy with the FreeBSD response.
This is a different proposal than "someone should get paid to reduce my
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
> Quite right. It is reasonable to assume that, given what we now know about
> the memory allocation scheme in OpenSSL, that other bugs exist and will
> only be found by exploits. Thus, it is reasonable to assume that there will
> be future eme
On Thu, Apr 10, 2014 at 10:56 AM, Paul Hoffman wrote:
> If your reliance on OpenSSL bugs being fixed requires a fix at a rate faster
> than what the FreeBSD community provides, then you should not rely on the
> FreeBSD community. Install OpenSSL on your mission-critical systems from
> OpenSSL s
On Apr 9, 2014, at 3:46 PM, Pawel Biernacki wrote:
> Since such situations had happened in the past and are still
> happening, something should be done about them.
Quite right. It is reasonable to assume that, given what we now know about the
memory allocation scheme in OpenSSL, that other bugs
