Jeffrey Altman wrote: > The answer to your questions is 'yes'. As I understand it, the > patches were released as they are "for the time being" because it is > better to crash your application then allow the attacker to compromise > your computer. > > New patches will have to be released to properly correct the problem > in the very near future.
Note that changing unexploitable die()s to internal errors is a mistake: it is not safe to continue after an internal error! Cheers, Ben. -- http://www.apache-ssl.org/ben.html Available for contract work. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]