http://heartbleed.com/

This bug has been getting around. The bug was caused by missing bounds checking.

I'm glad to be using a language with bounds checking.

On Mon, 07 Apr 2014 18:28:02 -0500, w0rp <devw0rp@gmail.com> wrote:

> http://heartbleed.com/
>
> This bug has been getting around. The bug was caused by missing bounds checking.
>
> I'm glad to be using a language with bounds checking.

I thought the standard process (especially for such a massive security vulnerability) for these types of issues was to have a significant span of time between when the fix is publish and when the details of the vulnerability are released, yet from what I can see, they've published extensive details on the vulnerability on the exact same day that the fix was released. I really hope this isn't actually the case. (and more so, I hope none of the US news media who have any idea what it means get ahold of it, because it means that almost nobody in the US will not know about the issue, and believe me when I say, there are a LOT of people out there who would do a lot of harm with such a thing)

From what I understand, depending on the exact configuration of the sever, namely who's address space OpenSSL was loaded in, it would be possible to rip database passwords from the server's memory. Servers that act merely as a proxy to the internal servers (the configuration that most large websites would have, which offloads the (de/en)cryption to gateway nodes) wouldn't have as big of an issue, but it would still be an issue.

On 4/7/2014 7:28 PM, w0rp wrote:
> http://heartbleed.com/
>
> This bug has been getting around. The bug was caused by missing bounds
> checking.
>
> I'm glad to be using a language with bounds checking.

Whelp, time for that server system upgrade I've been putting off for far too long...

On 4/7/14, 8:28 PM, w0rp wrote:
> http://heartbleed.com/
>
> This bug has been getting around. The bug was caused by missing bounds
> checking.
>
> I'm glad to be using a language with bounds checking.

http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6

I think that flag shouldn't exist.

On 4/7/2014 9:59 PM, Ary Borenszweig wrote:
> On 4/7/14, 8:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>
>
> I think that flag shouldn't exist.
>

I think it's potentially useful on a very careful per-module basis for certain modules specifically intended for no compiler-inserted bounds checking (or better yet, for specific blocks of code). But I certainly would never compile a whole program with it. That's just asking for trouble.

On Tuesday, 8 April 2014 at 01:36:29 UTC, Nick Sabalausky wrote:
> On 4/7/2014 7:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> Whelp, time for that server system upgrade I've been putting off for far too long...

Indeed. If you were wondering why the wiki/forum were down, that's why...

On Mon, 07 Apr 2014 20:59:50 -0500, Ary Borenszweig <ary@esperanto.org.ar> wrote:

> On 4/7/14, 8:28 PM, w0rp wrote:
>> http://heartbleed.com/
>>
>> This bug has been getting around. The bug was caused by missing bounds
>> checking.
>>
>> I'm glad to be using a language with bounds checking.
>
> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>
> I think that flag shouldn't exist.
>

The bad thing is, I have some code that having bounds checks enabled actually improves the speed of.

On 4/7/2014 10:17 PM, Orvid King wrote:
> On Mon, 07 Apr 2014 20:59:50 -0500, Ary Borenszweig
> <ary@esperanto.org.ar> wrote:
>
>> On 4/7/14, 8:28 PM, w0rp wrote:
>>> http://heartbleed.com/
>>>
>>> This bug has been getting around. The bug was caused by missing bounds
>>> checking.
>>>
>>> I'm glad to be using a language with bounds checking.
>>
>> http://www.reddit.com/r/programming/comments/21m0bz/warp_a_fast_c_and_c_preprocessor/cged2y6
>>
>>
>> I think that flag shouldn't exist.
>>
>
> The bad thing is, I have some code that having bounds checks enabled
> actually improves the speed of.

Not surprised, but I imagine it's likely only a handful of places where the bounds checking is actually slowing things down noticeably. If you sniffed those out with a profiler and had a good way to get around bounds checking for those specific cases, I'd bet you'd get nearly the same speedup without sacrificing much safety.

On Mon, Apr 07, 2014 at 09:36:28PM -0400, Nick Sabalausky wrote:
> On 4/7/2014 7:28 PM, w0rp wrote:
> >http://heartbleed.com/
> >
> >This bug has been getting around. The bug was caused by missing bounds checking.
> >
> >I'm glad to be using a language with bounds checking.
> 
> Whelp, time for that server system upgrade I've been putting off for far too long...

I learned the hard way to always keep on top of the security upgrades. A year or two ago, I put off a pending upgrade for a week, and the day before I finally got around to it, my server was hacked via the same vulnerability that the upgrade would've fixed. They got root, so I had to nuke the system from orbit after backing up my data, and rebuild the server from scratch. :-( Ever since then, I've set up the system to notify me as soon as an update is available, and now I dare not delay to install it ASAP.


T

-- 
It said to install Windows 2000 or better, so I installed Linux instead.

On 4/8/2014 12:15 AM, H. S. Teoh wrote:
>
> I learned the hard way to always keep on top of the security upgrades. A
> year or two ago, I put off a pending upgrade for a week, and the day
> before I finally got around to it, my server was hacked via the same
> vulnerability that the upgrade would've fixed. They got root, so I had
> to nuke the system from orbit after backing up my data, and rebuild the
> server from scratch. :-( Ever since then, I've set up the system to
> notify me as soon as an update is available, and now I dare not delay to
> install it ASAP.
>

Yea, that's a good idea.

Is that Arch? How does your querying for security updates work? Just querying for updates on security-related packages, or somehow filtering on whether a package's update is security-realted...or just a general "grab every update for everything"?