On Tuesday, January 11, 2022 at 17:56, Stan Sieler via cctalk wrote:
> I *think* it was some kind of authentication failure (e.g.,
> incorrectly reporting "ok"), but I'm not sure.
>
> I do know I wrote a several page article about it, and how certain
> coding practices led to it, but I can't
Your description made me think of Goto Fail:
https://www.imperialviolet.org/2014/02/22/applebug.html
> or using logical instead of boolean (or vice versa) logic
I did find this:
https://arstechnica.com/gadgets/2021/07/google-pushed-a-one-character-typo-to-production-bricking-chrome-os-devices/
Re:
On Tue, Jan 11, 2022 at 12:02 PM Jonathan Katz wrote:
>
> Heartbleed?
>
Checked the source code for that just now ...
nope, sorry.
I recall the problem being completely different from buffer overflow (e.g.,
by a unchecked memcpy ()),
and more akin to either the programmer misinterpreting
I've received a couple of suggestions, thanks, but none seem right.
BTW, I'm sorry (Liam) that I didn't make it clearer that it was absolutely
a software bug, which excludes Spectre, Rowhammer, Meltdown.
Aside: the Meltdown and/or Spectre patch to macOS hurt performance ... the
elapsed time to
Re:
> The Debian 4 OpenSSL disaster comes to mind, where IIRC a know-it-all
> package manager beautified the source and reduced the effective length
> of any generated keys to 32 bit. But that was more like 15 yrs ago...
>
That sound like something I should read about, thanks ... but it isn't
No, Heartbleed was a protocol specification error, where if you implemented
what the spec said you automatically produced a security bug.
paul
> On Jan 11, 2022, at 3:02 PM, Jonathan Katz via cctalk
> wrote:
>
> Heartbleed?
>
>
> On Tue, 11 Jan 2022 at 20:00, Hauke Fath via cctalk
Heartbleed?
On Tue, 11 Jan 2022 at 20:00, Hauke Fath via cctalk
wrote:
> On Mon, 10 Jan 2022 22:04:33 -0800, Stan Sieler via cctalk wrote:
> > It may have been that either the routine wasn't getting called when it
> > should, or that the programmer misinterpreted what the return value
> meant.
On Mon, 10 Jan 2022 22:04:33 -0800, Stan Sieler via cctalk wrote:
> It may have been that either the routine wasn't getting called when it
> should, or that the programmer misinterpreted what the return value meant.
The Debian 4 OpenSSL disaster comes to mind, where IIRC a know-it-all
package
On Tue, 11 Jan 2022 at 06:04, Stan Sieler via cctalk
wrote:
>
> Hi,
>
> I'm trying to remember the name (and some information about) a past
> security bug, for an article.
>
> Somewhere between 4 and 6 years ago (I think), there was a fairly major
> security bug reported (probably in Linux, or in
You're probably talking about the java bug from back then. I forget the
name ofnit.
Bill
On Tue, Jan 11, 2022, 6:38 AM Liam Proven via cctalk
wrote:
> On Tue, 11 Jan 2022 at 07:04, Stan Sieler via cctalk
> wrote:
> >
> > Somewhere between 4 and 6 years ago (I think), there was a fairly major
On Tue, 11 Jan 2022 at 07:04, Stan Sieler via cctalk
wrote:
>
> Somewhere between 4 and 6 years ago (I think), there was a fairly major
> security bug reported (probably in Linux, or in SSH code, but
> something widely used).
Too vague. I think you need to narrow it down.
Heartbleed, Spectre,
Hi,
I'm trying to remember the name (and some information about) a past
security bug, for an article.
Somewhere between 4 and 6 years ago (I think), there was a fairly major
security bug reported (probably in Linux, or in SSH code, but
something widely used).
IIRC, the bug was a single line
12 matches
Mail list logo
