On Tue, 2014-04-08 at 10:55 +0100, Patrick O'Callaghan wrote: > https://www.openssl.org/news/secadv_20140407.txt > > See also http://heartbleed.com/ and > http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/ > > This is potentially very serious and can cause leakage of private keys > and other information. > > The current version of OpenSSL on Fedora (standard repos and Koji) is > 1.0.1e, which has this vulnerability. An upgrade to 1.0.1g should be > provided urgently.
There's a front page article in the NY Times about this, first time ever seen an article there about a technical subject. It's an interesting question why Net infrastructure code continues to be written in C, a language that provides no automatic checks for buffer overflow, which (if I understand right) is the opening for this security breach, along with so many others. And why is the code run on hardware that provides no such checks? There have been languages and system that check for overflow available for 40 years. Why doesn't anyone use them? jon -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
