paizo.com Favorited Posts by Tramariuspaizo.com Favorited Posts by Tramarius2019-07-03T17:27:37Z2019-07-03T17:27:37ZRe: Forums: Website Feedback: Pathfinder Reference Document (PRD) Reporting ThreadTramariushttps://paizo.com/threads/rzs2soys&page=5?Pathfinder-Reference-Document-Reporting-Thread#2502016-02-05T01:58:19Z2016-02-05T01:55:00Z<div class="messageboard-quotee">Fromper wrote:</div><blockquote> <div class="messageboard-quotee">Kobold Cleaver wrote:</div><blockquote> These fiends and their extraneous tags. </blockquote>Fiendish. </blockquote><p>Damn. Good call and no joke gentlemen. If the Demons and Devils are affected, why not the other fiends too? Sure enough, there are a couple more extraneous tags mixed into the <a href="http://paizo.com/pathfinderRPG/prd/bestiary2/daemon.html" target="_blank" rel="nofollow">Bestiary 2 Daemons</a>.
<p>In the descriptive text under the <a href="http://paizo.com/pathfinderRPG/prd/bestiary2/daemon.html#daemon,-olethrodaemon" target="_blank" rel="nofollow">Olethrodaemon Paragons</a>, <b>Line 687</b>.</p>
<div class="messageboard-quotee">Line 687 wrote:</div><blockquote><p> ... An olethrodaemon paragon generally has from 4 to 8 additional Hit Dice, and is usually a <b><span class=stat-block-cr>CR 22</span></b> to <b><span class=stat-block-cr>CR 24</span></b> creature.</p></blockquote><p>I'm guessing we might spot (roll for Perception!) even more on the Celestial pages (among others) as well.
<p><b>EDIT:</b> Found another one in Bestiary 2. In the stat block of the <a href="http://paizo.com/pathfinderRPG/prd/bestiary2/devil.html#devil,-immolation" target="_blank" rel="nofollow">Immolation Devil (Puragaus)</a>, <b>Line 484</b>.</p>
<div class="messageboard-quotee">Line 484 wrote:</div><blockquote><p class="stat-block-2">1/day&mdash;summon (level 9, any 2d4 devils of <b><span class=stat-block-cr>CR 10</span></b> or lower, 90%)</p></blockquote><p>Fromper wrote:Kobold Cleaver wrote: These fiends and their extraneous tags.
Fiendish. Damn. Good call and no joke gentlemen. If the Demons and Devils are affected, why not the other fiends too? Sure enough, there are a couple more extraneous tags mixed into the Bestiary 2 Daemons. In the descriptive text under the Olethrodaemon Paragons, Line 687.
Line 687 wrote: ... An olethrodaemon paragon generally has from 4 to 8 additional Hit Dice, and is usually a CR 22 to CR 24 creature.
I'm...Tramarius2016-02-05T01:55:00ZRe: Forums: Website Feedback: Pathfinder Reference Document (PRD) Reporting ThreadTramariushttps://paizo.com/threads/rzs2soys&page=4?Pathfinder-Reference-Document-Reporting-Thread#1572015-12-06T11:14:56Z2015-12-06T10:30:54Z<p>Confirming and adding to RJGrady's report. </p>
<p>Extraneous <b><span class=stat-block-cr></span></b> tags embedded in the text are at fault. The three he reported are on <b>Line 413</b> but there's <b>another one</b> mixed in with the 1/day SLA line of the stat block itself after <a href="http://paizo.com/pathfinderRPG/prd/bestiary/universalMonsterRules.html#summon" target="_blank" rel="nofollow">summon</a> on <b>Line 389</b>.</p>
<div class="messageboard-quotee">Line 389 wrote:</div><blockquote><p class="stat-block-2">1/day&mdash;<i><a href="/pathfinderRPG/prd/coreRulebook/spells/blasphemy.html#blasphemy" >blasphemy</a></i> (DC 25), <i><a href="/pathfinderRPG/prd/coreRulebook/spells/fireStorm.html#fire-storm" >fire storm</a></i> (DC 26), <i><a href="/pathfinderRPG/prd/coreRulebook/spells/implosion.html#implosion" >implosion</a></i> (DC 27), <a href="universalMonsterRules.html#summon" >summon</a> (level 9, any 1 <b><span class=stat-block-cr>CR 19</span></b> or lower demon 100%)</p></blockquote><p>Confirming and adding to RJGrady's report.
Extraneous tags embedded in the text are at fault. The three he reported are on Line 413 but there's another one mixed in with the 1/day SLA line of the stat block itself after summon on Line 389.
Line 389 wrote:1/day--blasphemy (DC 25), fire storm (DC 26), implosion (DC 27), summon (level 9, any 1 CR 19 or lower demon 100%)Tramarius2015-12-06T10:30:54ZRe: Forums: Website Feedback: The Heartbleed bugTramariushttps://paizo.com/threads/rzs2qvil?The-Heartbleed-bug#212014-04-12T01:47:43Z2014-04-11T18:58:34Z<p>We can't really point that finger at the NSA for this. The software is open source, so in principal any of us with sufficient qualifications (not me!) could have audited the code to find the bug, and yet the bug has been in the wild since <a href="http://www.pcpro.co.uk/news/388162/heartbleed-coder-bug-in-openssl-was-an-honest-mistake" target="_blank" rel="nofollow">December 2011</a>.</p>
<div class="messageboard-quotee">hearbleed.com wrote:</div><blockquote><p><b>Is this a design flaw in SSL/TLS protocol specification?</b></p>
<p>No. This is [an] implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the applications and services.</blockquote><div class="messageboard-quotee">http://www.openssl.org/news/secadv_20140407.txt wrote:</div><blockquote><p>OpenSSL Security Advisory [07 Apr 2014]
</p>
========================================</p>
<p>TLS heartbeat read overrun (CVE-2014-0160)
<br />
==========================================</p>
<p>A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.</p>
<p>Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.</p>
<p>Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix.</p>
<p>Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS.</p>
<p>1.0.2 will be fixed in 1.0.2-beta2.</blockquote><p><b>@Tamago:</b> Thanks for that XKCD link. I LOLed.
<p><b>@Lissa:</b> While https://secure.paizo.com is not vulnerable to Heartbleed, according to <a href="https://www.ssllabs.com/ssltest/analyze.html?d=secure.paizo.com" target="_blank" rel="nofollow">Qualys SSL Labs</a> it does have some lingering security shortfalls because you're still running TLS 1.0 (which, ironically, is probably why you weren't vulnerable).</p>We can't really point that finger at the NSA for this. The software is open source, so in principal any of us with sufficient qualifications (not me!) could have audited the code to find the bug, and yet the bug has been in the wild since December 2011.
hearbleed.com wrote:Is this a design flaw in SSL/TLS protocol specification?
No. This is [an] implementation problem, i.e. programming mistake in popular OpenSSL library that provides cryptographic services such as SSL/TLS to the...Tramarius2014-04-11T18:58:34Z