Re: Debian Security Announcement
Is it absolutely impossible for these guys to just send out an announcement in plain English?
A memory leak flaw was found in the way an OpenSSL handled failed
session ticket integrity checks. A remote attacker could exhaust all
available memory of an SSL/TLS or DTLS server by sending a large number
of invalid session tickets to that server.
What? Where, what typical applications/scenarios might be affected? Real world examples? No wonder the Open Source world has such a bad rep amongst non geeks. Pure gobbledygook brought on by severe laziness and extreme arrogance.
That's pretty plain english for an announcement on crypto library.They clearly state the issue is in session handling and that can be used to exhaust memory. Don't really see how it could be any clearer.
There are so many applications using OpenSSL that listing them would not be practical. I doubt OpenSSL team even know all the applications that may use the libraries.
The announcement is obviously intended to somewhat technical audience. It would be up to your sysadmin (in corporate environment) to disseminate information as to what, within your organisation, is affected and how.
Would you think of the same of a technical bulletin issued by car manufacturer, when it is really intended for mechanics rather than end users?
I'm sorry but it appears the laziness and arrogance is on your part for assuming the technical announcement from developers would be watered down to be suitable for you.