Em 06-06-2014 22:11, patric conant escreveu:
So we knew that OpenSSL had some problems, indicated by the fact that they
were blissfully unaware that Valgrind gave warnings when compiling their
code, from the Debian debacle.
They knew, just didn't care.
Then Heartbleed came along, and people knew
how bad things really were, and then members of the OpenBSD got together
and started working hard on cleaning up and auditing the OpenSSL codebase,
which lead to some other people going through through the changes for
indications as to what sort of vulnerabilities the original had. That
eventually lead to this most recent round of vulnerabilities which
professional courtesy dictated that the affected parties get enough time to
patch their offerings before public disclosure, except for the OpenBSD team.
The cleanup didn't necessarily had anything to do with these
disclosures. The fact is, that many people, not just OpenBSD developers,
started actually looking the code.
As a user I should probably just run snapshots to cut my window of
vulnerability as much as possible, for the foreseeable future, as this
problem's likely to get worse before it get's better, at the actual
inclusion of LibreSSL in OpenBSD.
Does this sound right, did I miss some important subtleties?
That depends on your requirements. Snapshots can sometimes be broken. It
happens. Also, the it's hard to follow current. If you can, and can deal
with the problems that come with it, then ok. If not, you might just
follow stable. You don't even need to apply and compile the patches, if
you trust the guys at mtier.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
