Re: [Monotone-devel] possible SSL compromise

monotone-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Monotone-devel] possible SSL compromise

From:	Zbigniew Zagórski
Subject:	Re: [Monotone-devel] possible SSL compromise
Date:	Wed, 9 Apr 2014 08:42:18 +0200

Hello,

On Tue, Apr 8, 2014 at 9:25 PM, Hendrik Boom <address@hidden> wrote:
>
> I've just heard about a potential vulnerability in OpenSSL.  See
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 for the Debian
> version of this problem.
>
> In particular, the message states
>
> all
> keys used with vulnerable processes will need to be replaced both in
> Debian infrastructure and by all users of this package.
>
> I'm wondering whether monotone use is affected by this problem.

Monotone doesn't use TLS and thus openssl implemtentation of TLS and the
bug in question specific to TLS _extension implementation_ in openssl.
This is "plain old" buffer overrun, or in this case buffer "overrun" ... [1]

> I don't know if it even uses OpenSSL

No, it uses botan but only for primitive crypto methods. Monotone's netsync
protocol and it's implementation has other ... yet unknown bugs :)

[1] thorough bug analyssis for curious:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html

-- 
Zbigniew Zagórski
/ software developer / geek / http://zbigg.blogspot.com /

[Prev in Thread]

Current Thread

[Next in Thread]

[Monotone-devel] possible SSL compromise, Hendrik Boom, 2014/04/08
- Re: [Monotone-devel] possible SSL compromise, Zbigniew Zagórski <=
  - Re: [Monotone-devel] possible SSL compromise, Hendrik Boom, 2014/04/09

Prev by Date: [Monotone-devel] possible SSL compromise
Next by Date: Re: [Monotone-devel] possible SSL compromise
Previous by thread: [Monotone-devel] possible SSL compromise
Next by thread: Re: [Monotone-devel] possible SSL compromise
Index(es):
- Date
- Thread