Yes, but read 'agl's comments carefully: the systems impacted by this are going ... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

tptacek on April 19, 2012 | parent | context | favorite | on: Heap overflow bug in OpenSSL

Yes, but read 'agl's comments carefully: the systems impacted by this are going to tend to be ones that do special-case configuration of SSL certificates. We're not talking about browsers and (for the most part) web servers here.

A hypothetical future Github feature that allowed users to upload SSL certs in lieu of SSH keys might have to review their code to make sure they weren't using OpenSSL BIOs to read certs from (or just patch).

You should patch anyways. From now on, professional security assessments are going to doc this version of OpenSSL as a vulnerability.

EvilTerran on April 19, 2012 [–]

Oh, I'm not using OpenSSL professionally - I'm pretty much just a curious amateur when it comes to computer security.

Good to know I've not got anything to worry about personally, though. You've explained it well.

tptacek on April 19, 2012 | [–]

Adam Langley's the one who did the real explaining on this thread; thank 'agl. :|

Join us for AI Startup School this June 16-17 in San Francisco!
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact