[wplug] OpenSSL security vulnerability

Fri May 16 11:16:36 EDT 2008

On Fri, May 16, 2008 at 01:30:08AM -0400, Zach wrote:
> What is the name of the genius who made this code change and why did
> it take TWO YEARS to discover this flaw?  If it was a typo or a
> legitimate but fallacious change that would be palitable than
> causing such a huge security vector for the sake of making your
> memory profiling tool run smoother! Sheesh.

You might want to read the whole thread (on debian-devel), and maybe
even wait until you have maintained a package used by tens of
thousands of users, before adding your $0.02.  For example, the
(overzealous) patch was to avoid a valgrind warning about reading from
uninitialized memory, which is often a security problem.

-- 
Eric Cooper             e c c @ c m u . e d u