Thad Floryan
2014-04-11 19:37:31 UTC
Found the following on the 'Net yesterday:
" Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
" provided Dr. Stephen Henson (steve at openssl.org) this single line
" of code, which "is" the heartbleed bug, in a heartbeat:
"
" buffer = OPENSSL_malloc(1 + 2 + payload + padding);
"
" The problem is that our Dr. Steve dutifully committed this code
" on Sat, 31 Dec 2011 at the ripe time of an hour before the new year:
" 15:59:57 -0700 (22:59 +0000).
"
" Of course Steve didn't check the code, and, one wonders, why was
" Steve checking in someone elses' submitted code (which is a basic
" no no in security software practices)?
"
" The result is that now, all encrypted data to two million servers
" that someone bothered to archive in the past two years (*cough*
" MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!
" Actually, it was Robin Seggelmann (seggelmann at fh-muenster.de) who
" provided Dr. Stephen Henson (steve at openssl.org) this single line
" of code, which "is" the heartbleed bug, in a heartbeat:
"
" buffer = OPENSSL_malloc(1 + 2 + payload + padding);
"
" The problem is that our Dr. Steve dutifully committed this code
" on Sat, 31 Dec 2011 at the ripe time of an hour before the new year:
" 15:59:57 -0700 (22:59 +0000).
"
" Of course Steve didn't check the code, and, one wonders, why was
" Steve checking in someone elses' submitted code (which is a basic
" no no in security software practices)?
"
" The result is that now, all encrypted data to two million servers
" that someone bothered to archive in the past two years (*cough*
" MPS, *cough* NSA, *cough* FIS) is/was wide-open cleartext!