Date: Thu, 24 Apr 2014 08:33:58 +0200 From: Erik Cederstrand <erik+lists@cederstrand.dk> To: Gary Palmer <gpalmer@freebsd.org> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk> In-Reply-To: <20140424000744.GE15884@in-addr.com> References: <10999.1398215531@server1.tristatelogic.com> <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk> <B4A7F879-588B-4414-B416-601066C4E61A@mac.com> <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk> <F66D539F-0607-4653-9A90-56482671898B@mac.com> <20140424000744.GE15884@in-addr.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Den 24/04/2014 kl. 02.07 skrev Gary Palmer <gpalmer@freebsd.org>: >=20 > I also think we're getting off topic. Any concrete steps people are > willing to take to make FreeBSD more secure? Well, the static analysis reports aren't totally useless, but we need = some way of marking them as false positive or wontfix, so the effort = isn't duplicated. Out of the 10.000 reports, a conservative guess is = that at least 100 of them are real security issues. And they are public, = so Mallory can just pick one now and write an exploit. A year ago, I did = a raid on reports about not checking the return value of setuid() and = friends, which did uncover real issues. Erik=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9330A007-63D2-4930-AB33-4EEE64AEF670>