On Sun, Apr 20, 2014 at 07:07:45PM +0100, Steven Chamberlain wrote: > Hi, > > But meanwhile, OpenBSD developers are extensively cleaning up OpenSSL > 1.0.1g.
One of the problems with anything from OpenBSD is that they only care about OpenBSD, and if you want to use that fork you'll actually have to go and revert some of the things they're doing. Some of the things they're changing are actually good changes, but some are also just wrong. They don't seem to be understanding why things are the way they are and seem to be changing code they don't understand. They also seems to like to do white space changes, which is really helpful. > It's now using native malloc/free instead of its own allocator > which allowed the Heartbleed bug to happen. This did not allow heartbleed to happen. It might have hidden CVE-2010-5298 more, but it was always there and is unrelated to heartbleed. When using the native malloc you would still have be able to exploit heartbleed, but it will most likely result in different behaviour and might be harder. > I wonder if this might result in an alternate SSL/TLS library we could > use in Debian? There are alternatives, but I guess you mean alternative to openssl. Currently it actually doesn't look like a good option to me. Kurt -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140420212629.ga23...@roeckx.be
