[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Legitimacy of new Heartbleed exploit?

To: Jann Horn <jann@xxxxxxxxx>
Subject: Re: [FD] Legitimacy of new Heartbleed exploit?
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Fri, 25 Apr 2014 12:04:32 -0700

> It's bullshit. They say: 'A missing bounds check in the handling of the
> variable "DOPENSSL_NO_HEARTBEATS"'. That's not a variable, the "D" is
> not actually part of the name, and it's a compile-time macro that
> configures whether heartbeats will be compiled in or not. And because
> it's a compile-time thing, it's nothing that an attacker could ever
> influence.

That's what the NSA would say.

/mz

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Legitimacy of new Heartbleed exploit?
  - From: Dillon Korman
- Re: [FD] Legitimacy of new Heartbleed exploit?
  - From: Jann Horn

Prev by Date: [FD] CS, XSS and FPD vulnerabilities in multiple themes with CU3ER for WordPress
Next by Date: Re: [FD] Legitimacy of new Heartbleed exploit?
Previous by thread: Re: [FD] Legitimacy of new Heartbleed exploit?
Next by thread: Re: [FD] Legitimacy of new Heartbleed exploit?
Index(es):
- Date
- Thread