8 Apr
2014
8 Apr
'14
7:32 a.m.
On 08/04/14 11:02, Arran Cudbard-Bell wrote:
As it stands the next versions on all branches will refuse to build against libssl 1.0.1-1.0.1f because of the potential security risk.
Please don't do that, for the exact reasons you outlined. Hardcoding a version number blacklist into the build environment just means everyone building against an enterprise distro will have to patch your changes out. I realise it's a serious vulnerability, but "configure.in" of a project using the library is not the right place to address this. You'd be better off adding a runtime check and refusing to start without "allow_unsafe_openssl" global set or similar, if you must. At least that way people can configure the server to start once they've patched.