[Wolves] Fwd: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability

Chris Ellis chris at intrbiz.com
Wed Apr 9 09:30:19 UTC 2014


On 9 Apr 2014 09:56, "David Goodwin" <david at codepoets.co.uk> wrote:
>
>
>>
>>
>> Not really. There's been shed loads of vulnerabilities over the last 12
odd years since I've been using FOSS. Most community members like to narrow
the field of focus citing the kernel as the holy grail of security ignoring
such things as sql injections and browser compromises, SSL vulnerabilities
etc.
>>
>> The only thing we do do better in the community over Microsoft is we
plug the holes quicker. :-)
>>
>
>
>
> My opinion is that all code contains bugs.
>
> The density of such bugs is unlikely to be significantly different
between closed and open source as studies have shown.
> (
http://www.coverity.com/press-releases/annual-coverity-scan-report-finds-open-source-and-proprietary-software-quality-better-than-industry-average-for-second-consecutive-year/)
>
> In an ideal world, open source code would get reviewed more and become
more secure.
> However it becomes difficult and non-trivial to review a complex
component like OpenSSL.

What is disapointing here is the bug was a typical C flaw, lack of input
validation and low level buffer management.  For a security critical
library I had expected better.

Really safer buffer management needs to be introduced, sadly this would be
a massive change.

It would also be good to have the concept of tainted data, where by any
external data must be explicitly be  validated before it can be used.

>
> Microsoft/Oracle/whoever will have similar bugs - however they can
silently patch them without the world knowing ("Bug fixes").
>
> David
>

Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/wolves/attachments/20140409/9038ba64/attachment-0001.html>


More information about the Wolves mailing list