[wplug] OpenSSL security vulnerability
Zach
netrek at gmail.com
Fri May 16 01:30:08 EDT 2008
On Thu, May 15, 2008 at 9:49 AM, Patrick Wagstrom <patrick at wagstrom.net> wrote:
> I haven't seen any discussion of this, but it's actually very important.
> Some time ago, approximately two years, a single line was removed from the
> Debian installation of OpenSSL. Reading around, it looks like it was
> removed because the line caused a problem when profiling the code with
> Valgrind. Unfortunately, this had the nasty side effect of reducing the
> possible key space to 2^15 keys instead of 2^1024 possible keys. Yeah, it
> took two years for people to realize this.
Well that was rather dumb. What is the name of the genius who made
this code change and why did it take TWO YEARS to discover this flaw?
If it was a typo or a legitimate but fallacious change that would be
palitable than causing such a huge security vector for the sake of
making your memory profiling tool run smoother! Sheesh.
Zach
More information about the wplug
mailing list