On Fri, Nov 22, 2002 at 11:28:27PM +1100, mlh wrote:
> Rich Salz wrote:
> >>I still see it as a problem, since the data then
> >>potentially sticks around for a longer time, and is therefore
> >>retrievable for anyone who cracked root if that would happen.
> >
> >
> >Anyone who can crack root will just install a trojan openssl library,
> >anyway. Seems little point in holding up a release for this.
> > /r$
>
> Agreed. It's not even clear you can prevent this
> sort of optimisation.
>
> Some good discussions at
>
> http://online.securityfocus.com/archive/1/300365/2002-11-12/2002-11-18/1
>
> http://online.securityfocus.com/archive/82/297827/2002-10-26/2002-11-01/0
We did not conclusively investigate the risks and the options present.
That's why the release of 0.9.6h is postponed until we evaluated
the situation.
0.9.6h is a maintenance release and I don't see any impact by postponing
it to next week.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
