The bug was in OpenSSL 1.0.1, released on March 14, 2012 and was patched in version 1.0.1g, April 2014. So over 2 years' vulnerability window.
-
-
Almost all serialization options are going to end up with the same issues as ASN.1 & DER. DER itself is just a Type-Length-Value encoding and can be parsed without knowing the schema. The ASN.1 schema language is rather convoluted, but that doesn't impact the encoded data.
-
I wonder if while that's good theory, whether in practice there are much more robust (and efficient) parsers already for protobufs and CBOR. In more languages too.
- 20 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.