|
|
|
|
|
|
by tptacek
6584 days ago
|
|
|
You have two advisories for the same 0.9.7l get-ciphers vulnerability. I have, as you've noticed, lost the ability to count. Yes, less than 40% of the evidence you provided survives a minute's scrunity. If you really think OpenSSL has a worse track record than Sendmail, assert it directly. I don't think you will. I think you've just provided some spectacularly bad advice to web devs here, Colin. |
|
|
No, there's one advisory for the original vulnerability, and a second advisory for a new vulnerability which was added when OpenSSL shipped a broken patch (this one we didn't notice in time -- mea culpa).
If you really think OpenSSL has a worse track record than Sendmail, assert it directly. I don't think you will.
Overall? No -- Sendmail had a horrible track record in the past. Recently? Yes, I would say that OpenSSL has a worse track record than Sendmail over the past 4 years.
I think you've just provided some spectacularly bad advice to web devs here, Colin.
You're entitled to your opinion, of course, but I'd like to hear more details -- which bit in specific do you consider was bad advice?