8 Apr
2014
8 Apr
'14
8:41 a.m.
Phil Mayers wrote:
Hardcoding a version number blacklist into the build environment just means everyone building against an enterprise distro will have to patch your changes out.
I understand.
You'd be better off adding a runtime check and refusing to start without "allow_unsafe_openssl" global set or similar, if you must. At least that way people can configure the server to start once they've patched.
Yes. And unfortunately there's no run-time check to say that OpenSSL has been patched to address the vulnerability. <sigh> Alan DeKok.