Date: Wed, 9 Apr 2014 11:54:28 -0400 From: ari edelkind <edelkind-list-freebsd-security@episec.com> To: freebsd-security@freebsd.org Subject: Re: Proposal Message-ID: <CAPxErSUkfJjS_kZcYb3gUbKZbcYwoGwC2O0gjRZmxNPpMPZ3TA@mail.gmail.com> In-Reply-To: <53456946.9030200@rewt.org.uk> References: <9eeba1ab-2ab0-4188-82aa-686c5573a5db@me.com> <8D81F198-36A7-47F4-B486-DA059910A6B4@spam.lifeforms.nl> <53456946.9030200@rewt.org.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Apr 9, 2014 at 11:37 AM, Joe Holden wrote: > 24 hours for a fix that doesn't break ABI and is relatively simple (and > proven to be fine by other distros) is horrendous for such a critical > problem. I mentioned this on twitter also, but there wasn't even a headsup > from the SO until the patch went live. > To give this some additional perspective, it took me approximately 30 minutes to write a working exploit. Everyone makes a big deal out of private keys (which, admittedly, are a big deal), but i was able to collect usernames, passwords, session credentials, back-end single-sign-on credentials (e.g. client tokens), database passwords, and more from affected hosts -- all quite easily. ari
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPxErSUkfJjS_kZcYb3gUbKZbcYwoGwC2O0gjRZmxNPpMPZ3TA>