Full Disclosure mailing list archives

Re: Legitimacy of new Heartbleed exploit?

From: Jann Horn <jann () thejh net>
Date: Fri, 25 Apr 2014 21:00:17 +0200

On Fri, Apr 25, 2014 at 08:18:04AM -1000, Dillon Korman wrote:

Saw a link to this:
http://pastebin.com/qPxR9BRv

Do you think there really is a working exploit on new versions of OpenSSL?


It's bullshit. They say: 'A missing bounds check in the handling of the
variable "DOPENSSL_NO_HEARTBEATS"'. That's not a variable, the "D" is
not actually part of the name, and it's a compile-time macro that
configures whether heartbeats will be compiled in or not. And because
it's a compile-time thing, it's nothing that an attacker could ever
influence.

Attachment: signature.asc
Description: Digital signature


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Current thread:

Legitimacy of new Heartbleed exploit? Dillon Korman (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Jann Horn (Apr 25)
  - Re: Legitimacy of new Heartbleed exploit? Michal Zalewski (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? H. Dong (Apr 25)
  - Re: Legitimacy of new Heartbleed exploit? david switzer (Apr 25)
    - Re: Legitimacy of new Heartbleed exploit? Ivan Kwiatkowski (Apr 28)
- Re: Legitimacy of new Heartbleed exploit? Bennett Todd (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Peter Malone (Apr 25)