Reply to post: Re: Debian Security Announcement

Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat

Down not across Silver badge

Re: Debian Security Announcement

Is it absolutely impossible for these guys to just send out an announcement in plain English?

A memory leak flaw was found in the way an OpenSSL handled failed

session ticket integrity checks. A remote attacker could exhaust all

available memory of an SSL/TLS or DTLS server by sending a large number

of invalid session tickets to that server.

What? Where, what typical applications/scenarios might be affected? Real world examples? No wonder the Open Source world has such a bad rep amongst non geeks. Pure gobbledygook brought on by severe laziness and extreme arrogance.

That's pretty plain english for an announcement on crypto library.They clearly state the issue is in session handling and that can be used to exhaust memory. Don't really see how it could be any clearer.

There are so many applications using OpenSSL that listing them would not be practical. I doubt OpenSSL team even know all the applications that may use the libraries.

The announcement is obviously intended to somewhat technical audience. It would be up to your sysadmin (in corporate environment) to disseminate information as to what, within your organisation, is affected and how.

Would you think of the same of a technical bulletin issued by car manufacturer, when it is really intended for mechanics rather than end users?

I'm sorry but it appears the laziness and arrogance is on your part for assuming the technical announcement from developers would be watered down to be suitable for you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019