> Jeffrey Altman wrote: > > The answer to your questions is 'yes'. As I understand it, the > > patches were released as they are "for the time being" because it is > > better to crash your application then allow the attacker to compromise > > your computer. > > > > New patches will have to be released to properly correct the problem > > in the very near future. > > Note that changing unexploitable die()s to internal errors is a mistake: > it is not safe to continue after an internal error! > > Cheers, > > Ben.
This is true IFF the internal error is the result of a memory overwrite condition that could have compromised the application; but if the problem is something that we were able to identify before any damage is done (such as the recent protocol error checks) then the error must be returned to the application. The library is often just one small part of an overall application. Introducing easy to trigger denial of service attacks is unacceptable. Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
