Forum OpenACS Improvement Proposals (TIPs): Re: TIP #33 (Proposed): deprecate the PayflowPro package

Collapse
2: Re: TIP #33 (Proposed): deprecate the PayflowPro package (response to 1)
Posted by C. R. Oldham on 12/01/03 06:39 PM
Greetings,

Another reason to deprecate this is that libpfpro.so is statically linked against an *old* version of OpenSSL (0.9.5-something).  Since Verisign is loathe to provide an updated version, you may be opening your site to an attack of some sort if bugs in that version of OpenSSL can be exploited somehow via libpfpro.so.

Granted, the attack surface is pretty small, but you never know.

Collapse
5: Re: TIP #33 (Proposed): deprecate the PayflowPro package (response to 2)
Posted by Jeff Davis on 12/04/03 03:02 PM
I approve of this as well (if only because verisign
is the devil).