Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Security Update

Posted by michael on from the whoa,-how'd-that-get-in-there dept.

Pseud0 writes "Just announced on the OpenSSL announce mailing list. The affected versions are "[...] OpenSSL 0.9.6d or earlier, or 0.9.7-beta2 or earlier or current development snapshots of 0.9.7 to provide SSL or TLS is vulnerable, whether client or server. 0.9.6d servers on 32-bit systems with SSL 2.0 disabled are not vulnerable." Get your updates here."

4 of 208 comments (clear)

  1. Question by Ender+Ryan · · Score: 3, Interesting
    What is the difference between openssl-engine-0.9.6e.tar.gz and openssl-0.9.6e.tar.gz?

    --
    Sticking feathers up your butt does not make you a chicken - Tyler Durden
  2. Re:Security is a Fallacy by DLR · · Score: 2, Interesting

    So, just because it's easy to pick a lock means I shouldn't have locks on my car, home, etc.? No, there is an entire hierarchy of locks, some more difficult to pick than others. The question is how much do you want to pay for your locks? A pin tumbler (aka cylinder lock) is inexpensive, fairly easy to pick (so I hear) and what almost everyone in the USA has on the door of their dwelling. Wafer tumblers are even easier to pick, but that's what protects your car. Why use them since they're so insecure? Because they do the job 99% of the time.

    So do a cost/benefit analysis, are you better off NOT using SSH/SSL et. al. or does it make sense to use them? Take a look at the history of what you are discussing. I don't believe that SSL has ever been cracked "in the wild". All of the Internet credit card theft I am aware of has been from the server being rooted and access to the data obtained, never through intercepting it en route.

    DLR

    --
    "Like fire and fusion, government is a dangerous servant and a terrible master."~RAH
  3. Re:buffer overrun != cracked encryption by roachmotel3 · · Score: 2, Interesting

    Ahh -- but that's not CRACKING encryption. That's working from within the boundaries of the system to achieve a goal. Cracking OpenSSL would be like cracking WEP -- if you give me enough data, I could crack the key and start decrypting traffic. This is VERY different.

    The point is that the actual method of encryption itself, the mathematical formulas and principles, are still very valid and relevent. It just means that you can't leave the backdoor unlocked.

  4. Upgrading SSL is nothing like upgrading SSH by tzanger · · Score: 5, Interesting

    I have 18 firewalls to update (I sell these and support them, it's a nice way to suppliment my income). I'm not having much luck updating them though.

    So far (on 5/7 firewalls), updating the ssl libraries caused ssh to kick out. This is very much unlike upgrading ssh, where the currently running sessions would stay active and you just kill off the 'parent' sshd process and restart sshd to upgrade.

    Does anyone know why upgrading the shared lib is kicking out running sessions of ssh linked against it? Short of compiling sshd statically, is there any way around this? So far all the boxes are local but I have a few that are quite a distance and short of enabling telnet with a throwaway root account or statically compiling a temporary sshd, I'm screwed. :-)