On Thu, 10 Apr 2014 03:44:26 +, Ralph W Siegler wrote:
> Stuart Henderson spacehopper.org> writes:
>
>
>> On 2014-04-09, sven falempin gmail.com> wrote:
>> > i which this : https://polarssl.org was open and inside the base
>>
>> You can wish, but that is commercial+GPL code so OpenBSD can
patrick keshishian wrote:
[...]
> | ... the NSA has more than 1,000 experts
> | devoted to ferreting out such flaws using
> | sophisticated analysis techniques, many of them
> | classified. The agency found Heartbleed shortly
> | after its introduction, according to one of the
> | people familiar
| [NSA] knew for at least two years about ... the
| Heartbleed bug, and regularly used it to gather
| critical intelligence, two people familiar with
| the matter said.
I was waiting for someone to say this.
| ... the NSA has more than 1,000 experts
| devoted to ferreting out such flaws using
| s
On 08/04/14 21:40, Theo de Raadt wrote:
>> On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
>>> nobody writes:
>>>
"read overrun, so ASLR won't save you"
>>>
>>> What if malloc's "G" option were turned on? You know, assuming the
>>> subset of the worlds' programs you use is good enough to run
John Moser wrote:
> On Thu, Apr 10, 2014 at 4:18 PM, John Moser wrote:
>
> > Also why has nobody corrected me on this yet? I've read El Reg's
> > analysis, and they missed a critical detail that I didn't see until I read
> > the code in context: IT ALLOCATES TOO SMALL OF A WRITE BUFFER, TOO.
On Thu, Apr 10, 2014 at 4:18 PM, John Moser wrote:
> Also why has nobody corrected me on this yet? I've read El Reg's
> analysis, and they missed a critical detail that I didn't see until I read
> the code in context: IT ALLOCATES TOO SMALL OF A WRITE BUFFER, TOO. Okay,
> it would send out the
> Maybe in your imaginary world where your malloc() library is a static code
> correctness analysis tool instead of a behavioral anomaly detection tool.
>
> The fact remains that this was a boundary error triggered by incorrect user
> input validation--that it would not crash under any circumstanc
Em 10-04-2014 15:22, Theo de Raadt escreveu:
>>> Compile libssl with -DDOPENSSL_NO_BUF_FREELIST
>>>
>>>
>> Yes but that's because OpenSSL is broken.
> If OpenSSL had not been broken in this respect, Segglemann's bug
> would not have survived any sort of testing or peer review.
>
>> So no, fixing Op
> > Compile libssl with -DDOPENSSL_NO_BUF_FREELIST
> >
> >
> Yes but that's because OpenSSL is broken.
If OpenSSL had not been broken in this respect, Segglemann's bug
would not have survived any sort of testing or peer review.
> So no, fixing OpenSSL to work without its freelist would not necess
> The moment this went out, some blackhat may have secretly analyzed the
> diff between 1.0 and 1.0.1 and gone, "Oh lol!" Or maybe saw the new
> support for TLS Heartbeat and gone, "Hey man, a new feature. I bet I
> can break it!" Security researchers took until 1.0.1f to do this.
Even before h
Theo de Raadt cvs.openbsd.org> writes:
>
> So then a bug shows up which leaks the content of memory mishandled by
> that layer. If the memoory had been properly returned via free, it
> would likely have been handed to munmap, and triggered a daemon crash
> instead of leaking your keys.
>
So m
On Wed, Apr 9, 2014 at 10:25 PM, Theo de Raadt wrote:
> > The problem with that as I see it is that people will complain about
> > not being able to donate to a specific subset of the project. As
> > with OpenSSH in the past and probably present. The same way many
> > complained before the foundat
> The problem with that as I see it is that people will complain about
> not being able to donate to a specific subset of the project. As
> with OpenSSH in the past and probably present. The same way many
> complained before the foundation existed about paying Theo's power
> bill and humble salary.
On Wed, Apr 9, 2014 at 8:44 PM, Ralph W Siegler wrote:
> Stuart Henderson spacehopper.org> writes:
>
> >
> > On 2014-04-09, sven falempin gmail.com> wrote:
> > > i which this : https://polarssl.org was open and inside the base
> >
> > You can wish, but that is commercial+GPL code so OpenBSD can'
Stuart Henderson spacehopper.org> writes:
>
> On 2014-04-09, sven falempin gmail.com> wrote:
> > i which this : https://polarssl.org was open and inside the base
>
> You can wish, but that is commercial+GPL code so OpenBSD can't use it in base.
What I would wish for is the OpenSSH project to
On 2014-04-09, Theo de Raadt wrote:
>>Is there any special reason why there is no /etc/malloc.conf by
>>default (linking to, say, 'S') then?
>
> Yes, there's a real good reason -- too much portable software
> breaks.
No, the performance impact of the stricter malloc options means
that developers
>Theo de Raadt wrote:
>>Some other debugging toolkits get them too. To a large extent these
>>come with almost no performance cost.
>
>Is there any special reason why there is no /etc/malloc.conf by
>default (linking to, say, 'S') then?
Yes, there's a real good reason -- too much portable softwar
On Wed, Apr 09, 2014 at 11:49:56AM -0400, Philippe Meunier wrote:
> Theo de Raadt wrote:
> >Some other debugging toolkits get them too. To a large extent these
> >come with almost no performance cost.
>
> Is there any special reason why there is no /etc/malloc.conf by
> default (linking to, say,
Theo de Raadt wrote:
>Some other debugging toolkits get them too. To a large extent these
>come with almost no performance cost.
Is there any special reason why there is no /etc/malloc.conf by
default (linking to, say, 'S') then?
Philippe
Em 09-04-2014 05:02, nobody escreveu:
> Perfect Forward Secrecy by default? Is it on in OpenBSD?
I use httpd and with the default configuration it uses PFS by default,
if you just enable ssl and setup the cert and key. But it allows any
cipher, so an old browser or a client that does not support it
On 2014-04-09, sven falempin wrote:
> i which this : https://polarssl.org was open and inside the base
You can wish, but that is commercial+GPL code so OpenBSD can't use it in base.
https://en.wikipedia.org/wiki/Secure_Transport#Overview
Though I wonder how many OpenSSL premium support customer
Perfect Forward Secrecy by default? Is it on in OpenBSD?
On Wed, Apr 9, 2014 at 9:07 AM, David Coppa wrote:
> On Tue, Apr 8, 2014 at 9:40 PM, Theo de Raadt
> wrote:
>
> > OpenSSL is not developed by a responsible team.
>
> And on twitter and google+ I've seen a lot of people who believe that
>
On Tue, Apr 8, 2014 at 9:40 PM, Theo de Raadt wrote:
> OpenSSL is not developed by a responsible team.
And on twitter and google+ I've seen a lot of people who believe that
OpenSSL is an OpenBSD project :(
On Tue, Apr 8, 2014 at 9:05 PM, noah pugsley wrote:
> On Tue, Apr 8, 2014 at 12:40 PM, Theo de Raadt >wrote:
>
> > > On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> > > > nobody writes:
> > > >
> > > >> "read overrun, so ASLR won't save you"
> > > >
> > > > What if malloc's "G" option were t
On Tue, Apr 8, 2014 at 12:40 PM, Theo de Raadt wrote:
> > On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> > > nobody writes:
> > >
> > >> "read overrun, so ASLR won't save you"
> > >
> > > What if malloc's "G" option were turned on? You know, assuming the
> > > subset of the worlds' programs y
> On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> > nobody writes:
> >
> >> "read overrun, so ASLR won't save you"
> >
> > What if malloc's "G" option were turned on? You know, assuming the
> > subset of the worlds' programs you use is good enough to run with that.
>
> No. OpenSSL has exploi
On Tue, Apr 08, 2014 at 15:09, Mike Small wrote:
> nobody writes:
>
>> "read overrun, so ASLR won't save you"
>
> What if malloc's "G" option were turned on? You know, assuming the
> subset of the worlds' programs you use is good enough to run with that.
No. OpenSSL has exploit mitigation count
nobody writes:
> "read overrun, so ASLR won't save you"
What if malloc's "G" option were turned on? You know, assuming the
subset of the worlds' programs you use is good enough to run with that.
"read overrun, so ASLR won't save you"
-> any pro-active thoughts to prevent this in the future? (I'm not a
programmer, so.. pardon if my question is idiotic)
Thanks!
On Tue, Apr 8, 2014 at 7:34 PM, nobody wrote:
> OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May
> 2012)
OpenBSD 5.3 (OpenSSL 1.0.1c 10 May 2012) and 5.4 (OpenSSL 1.0.1c 10 May
2012)
how surprising..
but doesn't ASLR suppose to protect from this?
http://undeadly.org/cgi?action=article&sid=20140408063423
30 matches
Mail list logo
