On 12 Apr 2014, at 17:43, Matthias Apitz <g...@unixarea.de> wrote: > El dÃa Wednesday, April 09, 2014 a las 01:05:22AM -0700, monloi perez > escribiÃ³: > >> True. Thanks for the quick reply. >> >> >> On Wednesday, April 9, 2014 3:33 PM, Alan Buxey <a.l.m.bu...@lboro.ac.uk> >> wrote: >> >> https://www.openssl.org/news/changelog.html >> >> 1.0.1 introduced the heartbeat support. >> >> 1.0.0 and earlier are fortunate in that they didnt have it.....but then they >> didnt have things to stop you from being BEASTed so some you win, some you >> lose. ;) >> >> alan > > Hello, > > As you can read in the above change log, heartbeat support was > introduced in version 1.0.1 of openssl. Does this mean that also the bug > was introduced with this version in March 2012, or was it later? As the security advisory states, the bug showed up in version 1.0.1 released in March 2012. > > What is the exact bug, can someone show a svn/git diff of the first > source version having the bug? http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 > > Is it possible that the bug was introduced with intention (to make > use of it later)? > > Here in Germany in the news we have rumor, that the bug was used by NSA, > of course the American Goverment says no. I have read the rumor. It is wrong. I was Robins boss at the time he did the work, he worked in my lab. Neither me personally nor my lab at the university had any cooperations with any security agency (from any country). Robin worked on the OpenSSL code for multiple years. During his work with the DTLS code, he fixed a lot of bugs in that code and implemented some features, like the support of RFC 6520. He worked in the public, all his patches were submitted with his name. The intention was to improve OpenSSL, not to introduce bugs. Unfortunately, the patch above contained a bug which wasn't catched, neither by Robin, nor by the reviewers, nor by the people using the stack. It is a bug. A bug with a huge impact. Nothing more. Nothing less.
Best regards Michael Tüxen > > Thanks > > matthias > > -- > Matthias Apitz | /"\ ASCII Ribbon Campaign: > E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail > WWW: http://www.unixarea.de/ | X - No proprietary attachments > phone: +49-170-4527211 | / \ - Respect for open standards > | en.wikipedia.org/wiki/ASCII_Ribbon_Campaign > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List firstname.lastname@example.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List email@example.com Automated List Manager majord...@openssl.org