[rtmpdump] add support for PolarSSL-1.3.x to rtmpdump

Howard Chu hyc at highlandsun.com
Fri May 30 18:21:37 CEST 2014

Eugene Rudoy wrote:
> Hi Julian,
> first of all there at least two branches not affected by any (known)
> security vulnerability anymore (s.
> https://polarssl.org/tech-updates/security-advisories/polarssl-security-advisory-2013-05,
> it's actually the same advisory you pointed out to in your mail from
> May 2nd). So it does make sense to support multiple versions of
> PolarSSL.

> On Fri, May 30, 2014 at 1:51 PM, hasufell <hasufell at gentoo.org> wrote:
>> With that patch, you support vulnerable versions of polarssl.

This is utter nonsense, since RTMP never uses RSA.

>> Upstream developers should never rely on distributors to fix this. The
>> code should not compile with any known vulnerable version.

The majority of users of librtmp are using it solely as a client. Even if any 
crypto library in question was riddled with vulnerabilities, that would have 
absolutely zero impact on the usefulness or safety of RTMPdump, because the 
client side has no secrets of its own. There is nothing to divulge, there is 
nothing valuable for an attacker to target.

More information about the rtmpdump mailing list