Em 06-06-2014 22:11, patric conant escreveu: > So we knew that OpenSSL had some problems, indicated by the fact that they > were blissfully unaware that Valgrind gave warnings when compiling their > code, from the Debian debacle. They knew, just didn't care. > Then Heartbleed came along, and people knew > how bad things really were, and then members of the OpenBSD got together > and started working hard on cleaning up and auditing the OpenSSL codebase, > which lead to some other people going through through the changes for > indications as to what sort of vulnerabilities the original had. That > eventually lead to this most recent round of vulnerabilities which > professional courtesy dictated that the affected parties get enough time to > patch their offerings before public disclosure, except for the OpenBSD team. The cleanup didn't necessarily had anything to do with these disclosures. The fact is, that many people, not just OpenBSD developers, started actually looking the code. > > As a user I should probably just run snapshots to cut my window of > vulnerability as much as possible, for the foreseeable future, as this > problem's likely to get worse before it get's better, at the actual > inclusion of LibreSSL in OpenBSD. > > Does this sound right, did I miss some important subtleties? That depends on your requirements. Snapshots can sometimes be broken. It happens. Also, the it's hard to follow current. If you can, and can deal with the problems that come with it, then ok. If not, you might just follow stable. You don't even need to apply and compile the patches, if you trust the guys at mtier.
Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
