|
|
|
|
|
|
by adekok
3554 days ago
|
|
|
For the record, the fixes for that CVE contain new CVEs. https://www.openssl.org/news/secadv/20160926.txt <sigh> No one can reasonably say that the practices of the OpenSSL programmers result in secure code. No one can reasonably say that lots of people examining it later for defects is a good idea. We have lots of legacy code in C. The only sane way to maintain it is tests: unit tests, functional tests, and static code analysis. > a lot of OpenSSL's issues are due to legacy code i.e. the OpenSSL people don't care to actively maintain / clean up their software. What a depressing statement to make. |
|
|