7 new security-flaws got patched:
2 of witch concerned the DTLS protocol:
Andy Polyahov apparently is responsible for >this< function in openssl/crypto/x86cpuid.pl
- http://freshbsd.org/commit/openbsd/f868fc6f39a2c45a6c2bab70addc92525d467904
- http://marc.info/?l=openssl-cvs&m=113361101503116
- http://www.zoominfo.com/p/Andy-Polyakov/985387
It appears to be a "Return Oriented Programming hack" it's supposed to solve an obscure problem in windows, which just seems like utter BullShit, because its also in the Linux implementation including all the other platforms.
explanation for ROP hack:
----
the Core Infrastructure Initiative gets money from : Intel, Microsoft, Amazon Web Services & others.
Amazon sells gear to the CIA:
Microsoft gives NSA access to Skype:
These companies are the ones paying for the 2 audit jobs:
Today, the foundation announced that the first projects to get funding will be OpenSSL, OpenSSH, and Network Time Protocol. "OpenSSL will receive funds from CII for two, full-time core developers," the announcement said. "The Open Crypto Audit Project
(OCAP) will also receive funding in order to conduct a security audit
of the OpenSSL code base."
The fellowships are going to developers:
- Stephen Henson
- Andy Polyakov
Andy is the guy who introduced the undocumented ROP entry point in the openssl/crypto/x86cpuid.pl mentioned earlier.
Now he's the one supposed to audit/fix OpenSSL ---> WTF ?
This sounds like an attempt to sabotage open-source security infrastructure.
----
This is >>not<< my research, all the credit/blame goes to bschulz in the heisesecurity-forum (note: german)
----
I'm not a It security expert, so I'd like to hear the opinion from somebody more knowledgeable than myself.