El día Saturday, April 12, 2014 a las 03:43:29PM -0400, Michael Smith escribió:
>
> On Apr 12, 2014, at 3:08 PM, Michael Tuexen
> <michael.tue...@lurchi.franken.de> wrote:
> >>
> > I have read the rumor. It is wrong.
>
> "Introduced with intent" vs. "known to the NSA" -- two
> different things, right?
>
> I don't have any direct knowledge of what goes on in the
> NSA, but if they don't have a whole cubicle farm full
> of people looking for vulnerabilities, I'd be surprised.
> OpenSSL would be an obvious high-value target for scrutiny
> just because of its ubiquity.
agreed; and this bug wasn't hard to see (even for me, sitting in a
restaurant with a netbook); in my company we do code review face to
face, i.e. two persons (the coder and the reviewer) wade through the new
code; one target of always questioning are copies in memory: do the
amount of data fit into target location and is the source amount a valid
space...
matthias
--
Sent from my FreeBSD netbook
Matthias Apitz, <g...@unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
