[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenSSH: What went wrong?
On Sat, Jun 29, 2002 at 03:36:16AM +1000, Darren Reed wrote:
> What I'd expect, for starters, is quite simply that all "new" code must
> be audited before a "major" OpenSSH release is made.
> I'd also expect that in an application like OpenSSH is for all inputs to
> be checked (this one wasn't). This new code should have been rejected
> by someone before it got into the CVS tree for OpenSSH because it was
> missing things like this.
> I don't particularly like the idea that this is a "new type of overflow".
> What that says to me is that you aren't really auditting software
> properly if these kinds of things have slipped through previous audits.
> Just for something different, maybe you should get together and have an
> auditathon rather than a hackathon.