undefined | Better HN

0 pointszaroth11y ago0 comments

I'm sure they've picked up now that the patch was bad. Should be an interesting day.

Wow the comments there are...

0 comments

timv11y ago

If your conclusion that the patch was bad is based on the fact that CVE-2014-7169 still exists, I think that's an unfair assessment.

The patch appears to have been a adequate fix to the bug that was discovered. The fact there is a second bug with a similar but not-identical attack vector, is a reflection on the robustness/correctness of the original code more than it is a reflection on the quality of the patch.

bodyfour11y ago

... and also a reflection of how much security attention this one obscure feature has been receiving in the last 24 hours.

This is very similar to the pattern we saw with heartbleed: a terrible bug with a lot of publicity followed by a series of other vulnerabilities found of various severity as suddenly it was "all eyes on OpenSSL": http://www.openssl.org/news/secadv_20140806.txt

I wouldn't be surprised if we're going to see a repeat of that here.

j / k navigate · click thread line to collapse