:: Re: [unSYSTEM] OpenSSL has exploit …
Top Page
Delete this message
Reply to this message
Author: Troy Benjegerdes
Date:  
To: System undo crew
Subject: Re: [unSYSTEM] OpenSSL has exploit mitigation countermeasures to make sure it's exploitable.
The best part was the 'update your bitcoinz, because someone can steal
them if you use the completely unncecssary openssl payment protocol'.
Fortunately many altcoins have been saved by sheer laziness of not
updating to the latest pre-hacked version.

So does Theo have a decent SSL implementation in OpenBSD? Is gnutls any
good?

On Fri, Apr 11, 2014 at 10:07:34AM +0200, Caleb James DeLisle wrote:
> Heartbleed reads up to 64k of memory, crossing 16 page boundaries
> into "unallocated space" but it never triggers a segfault even
> on systems with hardened malloc().
>
> Theo de Raadt comments on OpenSSL's bypass of the OpenBSD secure malloc()
> http://article.gmane.org/gmane.os.openbsd.misc/211963
>
> And more about exactly how it works:
> http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf
>
> And why it's impossible to turn it off:
> http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse
>
>
> A missed bounds check is an accident, a pattern of insecure design
> practices is a scandal.
>
>
> _______________________________________________
> unSYSTEM mailing list: http://unsystem.net
> https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/unsystem


-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer@???
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop


      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash