[Wolves] Fwd: [LUG] OpenSSL 1.0.1 "Heartbleed" vulnerability
David Goodwin
david at codepoets.co.uk
Wed Apr 9 11:36:58 UTC 2014
> > In an ideal world, open source code would get reviewed more and
> become more secure.
> > However it becomes difficult and non-trivial to review a complex
> component like OpenSSL.
>
> What is disapointing here is the bug was a typical C flaw, lack of
> input validation and low level buffer management. For a security
> critical library I had expected better.
>
> Really safer buffer management needs to be introduced, sadly this
> would be a massive change.
>
> It would also be good to have the concept of tainted data, where by
> any external data must be explicitly be validated before it can be used.
>
>
"OpenSSL is not developed by a responsible team."
http://article.gmane.org/gmane.os.openbsd.misc/211963
David.
More information about the Wolves
mailing list