[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 1571-1] New openssl packages fix predictable random number generator

Jan Luehr wrote:
However, I'm curious: [how] could this happen? 

This is the best explanation I've seen so far :
http://it.slashdot.org/comments.pl?sid=551636&cid=23392602

I have no idea if it's correct, but it sounds very plausible.
If there was any mistake it may have been to try too hard to get a warning-free run from valgrind.
Contrary to some reports that Debian should have discussed the proposed faulty fix with the OpenSSL devs in 2006, note that the Debian developer involved *did* try to discuss the proposed changes with the OpenSSL devs, and was not warned against the idea : http://marc.info/?t=114651088900003&r=1&w=2
As the /. post says, "Hats off to the reviewer who picked up on the problem". 

Cheers,
Nick Boyce
--
Leave the Olympics in Greece, where they belong.
Reply to: