[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Calysto v1.5 reports on openldap_v2.4.4alpha



Domagoj Babic wrote:

> Ok, thank you a bunch for the clarification.

> This might be especially relevant to buffer overrun checking

exactly

> However, Kurt, on the behalf of the OpenLDAP Foundation, explicitly
> stated that the foundation is not interested in having the code
> statically checked, so I won't be sending reports (except for one
> more I have already generated).

I don't think he said exactly that.  I believe he said the project is
not interested in receiving plain reports just for the purpose of
debugging Calysto (nothing personal: only, we're just a few volunteers,
and we cannot dedicate too much time in reviewing reports potentially
filled by false positives).  If you put some effort in separating what
could be critical from what isn't likely, any report would be welcome.

For example, I'm reviewing your initial submission and, apart from
what's directly related to the clients, there are a couple of reports
that may require some action.  I'll post about my findings later, on a
private basis.  Only, I'm not going to do this routinely and too often.

> Once Calysto becomes publicaly available, you might actually get in a
> position where other people will be capable of finding exploits
> automatically --- every great technology has its dark side :-)

I know.  That's why I'm not going to entirely decline the reports you
offered to submit.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------