Technology news and Jobs arrow Our Blogs arrow Open Sauce arrow Debian's worst nightmare - and how it came about
Debian's worst nightmare - and how it came about E-mail
by Sam Varghese   
Friday, 23 May 2008
Page 2 of 3

Moller's reply can be interpreted two ways - one, that this meant that an OpenSSL developer was okay with the change. A second school of thought, which includes long-term Debian developer Russell Coker, says that since Roeckx had begun his message by saying, " When debugging applications that make use of openssl using valgrind...", Moller may well have understood his (Roeckx's) reference to removal of code as meaning that the removal was only for the purpose of debugging and not as a final change.

Featured Whitepaper

5 Best Practices for Smartphone Support

There were three responses to Roeckx's post; apart from Moller, a second OpenSSL developer, Geoff Thorpe, suggested that compiling the package with the -DPURIFY option would remove the unnecessary warnings generated by valgrind.

It turns out that Roeckx had sent this message to the wrong mailing list - but nobody can blame him for doing so, for the OpenSSL website states that this list (openssl-dev) is for "Discussions on development of the OpenSSL library. Not for application development questions!"

A post by Ben Laurie (see comment 43), a member of the core OpenSSL team, stating that if Roeckx wanted to communicate with OpenSSL developers he should have sent his message to the openssl-team mailing list, would have had some merit if it had been indicated anywhere on the OpenSSL site that this (openssl-team) was the mailing list that would ensure communication with the OpenSSL developers.

As former Debian project leader, Branden Robinson, pointed out, nowhere, including in the OpenSSL package itself, is there any mention of the openssl-team mailing list as being the one which ensured communication with developers. In fact, there is no mention of the mailing list at all.

However, Laurie did point out one mistake made by the Debian project - that the changed OpenSSL package, which fixed the bug, was committed to a public repository on May 7, nearly a week before the advisory about the vulnerability was issued. As Laurie pointed out; "This gives alert attackers a big hint (and only one needs to take that hint) without warning defenders of the problem (all of whom have to know)."

Russell says this happens periodically when there are upstream issues and cross-distribution advisories are synchronised.

The appearance of a report on May 13 titled "Brute-Force SSH Server Attacks Surge" may not be unrelated to Laurie's comment.


<< First page <   1 2 3 Next page > Last page - Post your comment >>
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
 694,279
Subscribers 15,210
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff

- Advertisement -

Featured Whitepapers

...More

Today on iTWireToday on iTWire

Latest news
Open Sauce - A GNU perspective Subscribe to the RSS
Open Sauce focuses on the wonderful, wacky world of free and open source software where people write great applications and actually allow others to use them without payment.
Follow iTWire on Twitter

About iTWire

iTWire is all about technology news, information, jobs and community for the IT and telecommunications industry professional. Subscribe to our free ICT daily newsletter

iTWire and you

Contact , Register , Links , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging , MyBlogLog page , Advertise with iTWire , Subscribe to SMS headlines , White Papers