Hello,
On Tue, Apr 8, 2014 at 9:25 PM, Hendrik Boom <
[hidden email]> wrote:
>
> I've just heard about a potential vulnerability in OpenSSL. See
>
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743883 for the Debian
> version of this problem.
>
> In particular, the message states
>
> all
> keys used with vulnerable processes will need to be replaced both in
> Debian infrastructure and by all users of this package.
>
> I'm wondering whether monotone use is affected by this problem.
Monotone doesn't use TLS and thus openssl implemtentation of TLS and the
bug in question specific to TLS _extension implementation_ in openssl.
This is "plain old" buffer overrun, or in this case buffer "overrun" ... [1]
> I don't know if it even uses OpenSSL
No, it uses botan but only for primitive crypto methods. Monotone's netsync
protocol and it's implementation has other ... yet unknown bugs :)
[1] thorough bug analyssis for curious:
http://blog.existentialize.com/diagnosis-of-the-openssl-heartbleed-bug.html--
Zbigniew Zagórski
/ software developer / geek /
http://zbigg.blogspot.com /
_______________________________________________
Monotone-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/monotone-devel
Locked
