[wplug] OpenSSL security vulnerability
Eric Cooper
ecc at cmu.edu
Fri May 16 11:16:36 EDT 2008
On Fri, May 16, 2008 at 01:30:08AM -0400, Zach wrote:
> What is the name of the genius who made this code change and why did
> it take TWO YEARS to discover this flaw? If it was a typo or a
> legitimate but fallacious change that would be palitable than
> causing such a huge security vector for the sake of making your
> memory profiling tool run smoother! Sheesh.
You might want to read the whole thread (on debian-devel), and maybe
even wait until you have maintained a package used by tens of
thousands of users, before adding your $0.02. For example, the
(overzealous) patch was to avoid a valgrind warning about reading from
uninitialized memory, which is often a security problem.
--
Eric Cooper e c c @ c m u . e d u
More information about the wplug
mailing list