[rtmpdump] add support for PolarSSL-1.3.x to rtmpdump
Howard Chu
hyc at highlandsun.com
Fri May 30 18:21:37 CEST 2014
Eugene Rudoy wrote:
> Hi Julian,
>
> first of all there at least two branches not affected by any (known)
> security vulnerability anymore (s.
> https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05,
> it's actually the same advisory you pointed out to in your mail from
> May 2nd). So it does make sense to support multiple versions of
> PolarSSL.
> On Fri, May 30, 2014 at 1:51 PM, hasufell <hasufell at gentoo.org> wrote:
>> With that patch, you support vulnerable versions of polarssl.
This is utter nonsense, since RTMP never uses RSA.
>> Upstream developers should never rely on distributors to fix this. The
>> code should not compile with any known vulnerable version.
The majority of users of librtmp are using it solely as a client. Even if any
crypto library in question was riddled with vulnerabilities, that would have
absolutely zero impact on the usefulness or safety of RTMPdump, because the
client side has no secrets of its own. There is nothing to divulge, there is
nothing valuable for an attacker to target.
More information about the rtmpdump
mailing list