Full Disclosure mailing list archives
Re: Legitimacy of new Heartbleed exploit?
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Fri, 25 Apr 2014 12:04:32 -0700
It's bullshit. They say: 'A missing bounds check in the handling of the variable "DOPENSSL_NO_HEARTBEATS"'. That's not a variable, the "D" is not actually part of the name, and it's a compile-time macro that configures whether heartbeats will be compiled in or not. And because it's a compile-time thing, it's nothing that an attacker could ever influence.
That's what the NSA would say. /mz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Legitimacy of new Heartbleed exploit? Dillon Korman (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Jann Horn (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Michal Zalewski (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? H. Dong (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? david switzer (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Ivan Kwiatkowski (Apr 28)
- Re: Legitimacy of new Heartbleed exploit? david switzer (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Bennett Todd (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Peter Malone (Apr 25)
- Re: Legitimacy of new Heartbleed exploit? Jann Horn (Apr 25)