[Linux-aus] Post in ZDnet re: Heartbleed

Russell Coker russell at coker.com.au
Tue Apr 15 00:04:57 EST 2014

On Mon, 14 Apr 2014 22:37:57 Kathy Reid wrote:
> There's a post on ZDnet that posits that OpenSSL benefitted little from
> being open source;
> http://www.zdnet.com/did-open-source-matter-for-heartbleed-7000028378/
> I strongly disagree with a lot of the points in the article, but am
> interested in the thoughts of others.

I don't think that the author of that article is qualified to comment on such 

> * If OpenSSL wasn't open source, the vulnerability may never have been found
> * The CVE was dealt with transparently and openly
> * The patch was freely available when the CVE was made public
> * The specific code vulnerability, now patched, will make other C codes
> more secure as people learn from the error


Above are some bugs I filed against OpenSSL 0.9.8 which were closed when the 
new version was released.  I don't know if any of them were discussed 
upstream, I guess not.


The OpenSSL code is a mess, the above two URLs give you some background.  I 
didn't look for any more because I knew that the code was awful after having 
tried to work on it.  I filed the above Debian bugs while trying to work out 
why my application would crash when I used two different libraries linked 
against OpenSSL, each of the libraries worked fine on it's own but I got heap 
corruption and a SEGV when I used both.  Valgrind didn't help me much (only 
enough to find 8 bugs which is nothing) and I gave up and forked off a child 
process to use one of the libraries.  There could be a security flaw in 
OpenSSL related to that bug I found, but as long as it's impossible to run 
Valgrind properly I can't find it.

I agree with Theo.

My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

More information about the linux-aus mailing list