Date: Thu, 24 Apr 2014 08:33:58 +0200 From: Erik Cederstrand <erik+lists@cederstrand.dk> To: Gary Palmer <gpalmer@freebsd.org> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk> In-Reply-To: <20140424000744.GE15884@in-addr.com> References: <10999.1398215531@server1.tristatelogic.com> <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk> <B4A7F879-588B-4414-B416-601066C4E61A@mac.com> <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk> <F66D539F-0607-4653-9A90-56482671898B@mac.com> <20140424000744.GE15884@in-addr.com>
index | next in thread | previous in thread | raw e-mail
Den 24/04/2014 kl. 02.07 skrev Gary Palmer <gpalmer@freebsd.org>: > > I also think we're getting off topic. Any concrete steps people are > willing to take to make FreeBSD more secure? Well, the static analysis reports aren't totally useless, but we need some way of marking them as false positive or wontfix, so the effort isn't duplicated. Out of the 10.000 reports, a conservative guess is that at least 100 of them are real security issues. And they are public, so Mallory can just pick one now and write an exploit. A year ago, I did a raid on reports about not checking the return value of setuid() and friends, which did uncover real issues. Erikhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9330A007-63D2-4930-AB33-4EEE64AEF670>