Re: Question about the latest security patch - malicious usage
Jeffrey Altman wrote: Jeffrey Altman wrote: The answer to your questions is 'yes'. As I understand it, the patches were released as they are for the time being because it is better to crash your application then allow the attacker to compromise your computer. New patches will have to be released to properly correct the problem in the very near future. Note that changing unexploitable die()s to internal errors is a mistake: it is not safe to continue after an internal error! Cheers, Ben. This is true IFF the internal error is the result of a memory overwrite condition that could have compromised the application; but if the problem is something that we were able to identify before any damage is done (such as the recent protocol error checks) then the error must be returned to the application. The library is often just one small part of an overall application. Introducing easy to trigger denial of service attacks is unacceptable. I agree. This is precisely my point. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ Available for contract work. There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit. - Robert Woodruff __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about the latest security patch - malicious usage
Jeffrey Altman wrote: The answer to your questions is 'yes'. As I understand it, the patches were released as they are for the time being because it is better to crash your application then allow the attacker to compromise your computer. New patches will have to be released to properly correct the problem in the very near future. Note that changing unexploitable die()s to internal errors is a mistake: it is not safe to continue after an internal error! Cheers, Ben. This is true IFF the internal error is the result of a memory overwrite condition that could have compromised the application; but if the problem is something that we were able to identify before any damage is done (such as the recent protocol error checks) then the error must be returned to the application. The library is often just one small part of an overall application. Introducing easy to trigger denial of service attacks is unacceptable. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
Re: Question about the latest security patch - malicious usage
Jeffrey Altman wrote: The answer to your questions is 'yes'. As I understand it, the patches were released as they are for the time being because it is better to crash your application then allow the attacker to compromise your computer. New patches will have to be released to properly correct the problem in the very near future. Note that changing unexploitable die()s to internal errors is a mistake: it is not safe to continue after an internal error! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Available for contract work. __ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]