On Fri, Nov 22, 2002 at 11:28:27PM +1100, mlh wrote: > Rich Salz wrote: > >>I still see it as a problem, since the data then > >>potentially sticks around for a longer time, and is therefore > >>retrievable for anyone who cracked root if that would happen. > > > > > >Anyone who can crack root will just install a trojan openssl library, > >anyway. Seems little point in holding up a release for this. > > /r$ > > Agreed. It's not even clear you can prevent this > sort of optimisation. > > Some good discussions at > > http://online.securityfocus.com/archive/1/300365/2002-11-12/2002-11-18/1 > > http://online.securityfocus.com/archive/82/297827/2002-10-26/2002-11-01/0
We did not conclusively investigate the risks and the options present. That's why the release of 0.9.6h is postponed until we evaluated the situation. 0.9.6h is a maintenance release and I don't see any impact by postponing it to next week. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]