Several thoughts on CVE-2014-0160
This week the whole internet was blown away by CVE-2014-0160. It was a real pain for us since we needed to urgently update our servers. Around 2/3 of our servers were affected by this problem. However patches were available for Debian, CentOS, Ubuntu LTS pretty quickly and we were able to apply them.
This however brings several really interesting points in my vision of the whole open-source ecosystem:
- Open-source nature of Linux/BSD allows vulnerabilities to be patched very quickly
- Argument that many eyes in open-source can help to eliminate really important issues is not always the case. Especially when the code is complex and deals with the security stuff.
- Each time I listen to BSDNow podcast I keep hearing how good and secure BSD systems are. And OpenSSL is commonly used as primary example to confirm this point. Given the mentioned CVE-2014-0160 OpenSSL problem I became really sceptical about it. Linux again seems the most advanced and usable platform for both servers and Java development to me.