[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: My Assessment of the Heartbleed OpenSSL bug and LedgerSMB

On Fri, 11 Apr 2014, Richard Hector wrote:

> Heartbleed isn't a problem with the encryption though; the encryption
> didn't get broken. Any protocol could probably potentially suffer from a
> buffer overflow due to a bug in the software. Given this one leaked info
> from the server process, who's to say it wouldn't leak your one-time pad?

   Today's Washington Post has an article where the author of the bug admits
he missed validating a variable that holds a length when he submitted a new
feature to OpenSSL along with some bug fixes. The other devs who reviewed
his code missed that, too. It was an oversight, not a deliberate action.

   We all have these senior moments when coding, regardless of our age. :-)


Richard B. Shepard, Ph.D.          |      Have knowledge, will travel.
Applied Ecosystem Services, Inc.   |
www.appl-ecosys.com      Voice: 503-667-4517         Fax: 503-667-8863

Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
Ledger-smb-users mailing list