8 Apr
2014
8 Apr
'14
6:05 p.m.
On 2014-04-09 22:40 , Dean Pemberton wrote:
And from the same twitter thread saying it was unlikely... [can extract private key on vulnerable FreeBSD if it is first request]
"first request after restart" is a special case too ("possible, but unlikely"). The same thread/poster also says: "[...] Does not work on Debian. [...]" (also https://twitter.com/1njected/status/453781230593769472) which implies (as noted in that thread) something about the FreeBSD malloc patterns makes it more likely/possible than Debian's malloc. Those (who were) running a vulnerable OpenSSL on FreeBSD may wish to take that into account in their assessment :-) The main thing which is certain is that it's going to be a well studied/probed bug. Ewen