[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] possible SSL compromise
From: |
Zbigniew Zagórski |
Subject: |
Re: [Monotone-devel] possible SSL compromise |
Date: |
Wed, 9 Apr 2014 08:42:18 +0200 |
Hello,
On Tue, Apr 8, 2014 at 9:25 PM, Hendrik Boom <address@hidden> wrote:
>
> I've just heard about a potential vulnerability in OpenSSL. See
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 for the Debian
> version of this problem.
>
> In particular, the message states
>
> all
> keys used with vulnerable processes will need to be replaced both in
> Debian infrastructure and by all users of this package.
>
> I'm wondering whether monotone use is affected by this problem.
Monotone doesn't use TLS and thus openssl implemtentation of TLS and the
bug in question specific to TLS _extension implementation_ in openssl.
This is "plain old" buffer overrun, or in this case buffer "overrun" ... [1]
> I don't know if it even uses OpenSSL
No, it uses botan but only for primitive crypto methods. Monotone's netsync
protocol and it's implementation has other ... yet unknown bugs :)
[1] thorough bug analyssis for curious:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html
--
Zbigniew Zagórski
/ software developer / geek / http://zbigg.blogspot.com /