科技回声

12 条评论

It's good to see that one of the positive effects of Heartbleed is that it motivated people to inspect OpenSSL's code, leading to more bugs being found and fixed.This is supposed to be how open-source works; it's unfortunate that it had to take a huge vulnerability to cause this motivation.

评论 #7580178 未加载

jevinskie大约 11 年前

I believe this is the same patch as previously written about here on April 10th: <a href="http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse" rel="nofollow">http://www.tedunangst.com/flak/post/analysis-of-openssl-free...</a>

评论 #7580245 未加载

frik大约 11 年前

One may consider Mozilla's NSS library (Netscape invented SSL, "Network Security Services") as an alternative to OpenSSL. It has an compatible API layer (extra package), is used by Firefox, (Chrome), OpenOffice and has more sane default settings. Check out the comparison tables: <a href="http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations" rel="nofollow">http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementatio...</a>

评论 #7581392 未加载

评论 #7580685 未加载

nemo大约 11 年前

I wish Theo and his colleagues would create a fork of OpenSSL that was up to OpenBSD/OpenSSH standards. It would be a huge level of work, but I'd happily donate to help fund it.

评论 #7582350 未加载

评论 #7582490 未加载

评论 #7582360 未加载

andrewchoi大约 11 年前

Sorry if this is a silly question, but is this simply the Heartbleed bug? Or is this a different memory leak bug?

评论 #7580076 未加载

评论 #7580079 未加载

评论 #7580209 未加载

评论 #7580070 未加载

评论 #7580067 未加载

xorgar831大约 11 年前

It seems like someone should start a Sourceforge for security project; a place that tracks and does high quality static analysis of open source projects, and makes the reports readily available.

评论 #7580290 未加载

yelnatz大约 11 年前

That's pretty sick. I'd rather have bugs fixed now than later.Another!

victormx大约 11 年前

Anyone known a real alternative to SSL to secure communications? No GPG, POW(or bitcoin, similar, etc.)

评论 #7580805 未加载

danieltillett大约 11 年前

I think that this is a good sign. I know everyone has been saying that OpenSSL code is terrible (can't say I have looked myself), but if this is the worst bug found since heartbleed then maybe it is better than it appears.

评论 #7580662 未加载

cybernoodles大约 11 年前

It appears Heartbleed has riled up the Hound dogs. It's unfortunate the funds aren't available for bug bounties in OpenSSL.

评论 #7580091 未加载

eudox大约 11 年前

Are we going to post every new OpenSSL bug until everyone switches to miTLS?

评论 #7580132 未加载

dbbolton大约 11 年前

What is up with that patch command? Why not<pre><code> cd /usr/src; patch -p0 </path/008_openssl.patch ?</code></pre>

评论 #7580433 未加载

评论 #7580332 未加载

12 条评论

userbinator大约 11 年前

评论 #7580178 未加载

jevinskie大约 11 年前

评论 #7580245 未加载

frik大约 11 年前

评论 #7581392 未加载

评论 #7580685 未加载

nemo大约 11 年前

I wish Theo and his colleagues would create a fork of OpenSSL that was up to OpenBSD/OpenSSH standards. It would be a huge level of work, but I'd happily donate to help fund it.

评论 #7582350 未加载

评论 #7582490 未加载

评论 #7582360 未加载

andrewchoi大约 11 年前

Sorry if this is a silly question, but is this simply the Heartbleed bug? Or is this a different memory leak bug?

评论 #7580076 未加载

评论 #7580079 未加载

评论 #7580209 未加载

评论 #7580070 未加载

评论 #7580067 未加载

xorgar831大约 11 年前

It seems like someone should start a Sourceforge for security project; a place that tracks and does high quality static analysis of open source projects, and makes the reports readily available.

评论 #7580290 未加载

yelnatz大约 11 年前

That's pretty sick. I'd rather have bugs fixed now than later.Another!

victormx大约 11 年前

Anyone known a real alternative to SSL to secure communications? No GPG, POW(or bitcoin, similar, etc.)

评论 #7580805 未加载

danieltillett大约 11 年前

评论 #7580662 未加载

cybernoodles大约 11 年前

It appears Heartbleed has riled up the Hound dogs. It's unfortunate the funds aren't available for bug bounties in OpenSSL.

评论 #7580091 未加载

eudox大约 11 年前

Are we going to post every new OpenSSL bug until everyone switches to miTLS?

评论 #7580132 未加载

dbbolton大约 11 年前

What is up with that patch command? Why not<pre><code> cd /usr/src; patch -p0 </path/008_openssl.patch ?</code></pre>

评论 #7580433 未加载

评论 #7580332 未加载

Use after free bug in OpenSSL

12 条评论

Use after free bug in OpenSSL

12 条评论