OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole?
Erik Cederstrand
erik+lists at cederstrand.dk
Thu Apr 24 06:43:58 UTC 2014
Den 24/04/2014 kl. 02.07 skrev Gary Palmer <gpalmer at freebsd.org>:
>
> I also think we're getting off topic. Any concrete steps people are
> willing to take to make FreeBSD more secure?
Well, the static analysis reports aren't totally useless, but we need some way of marking them as false positive or wontfix, so the effort isn't duplicated. Out of the 10.000 reports, a conservative guess is that at least 100 of them are real security issues. And they are public, so Mallory can just pick one now and write an exploit. A year ago, I did a raid on reports about not checking the return value of setuid() and friends, which did uncover real issues.
Erik
More information about the freebsd-security
mailing list