Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Security Vulnerability

Posted by michael on from the what-me-worry dept.

SiliconEntity writes "On the heels of multiple OpenSSH vulnerabilities, the OpenSSL project is now reporting a number of security vulnerabilities of its own. OpenSSL is a standard cryptographic library used in a wide variety of security applications. The new vulnerabilities range from denial-of-service attacks to stack corruption, which imply the possibility of running malicious code. New versions of the software are released today which address the vulnerabilities."

14 of 245 comments (clear)

  1. Minor Bug by cyberlotnet · · Score: 0, Interesting

    This is a extremely minor bug that will most likely only affect someone that issue client certs for per user auth to there site..

    Nothing extreme, barely even worth of a front page showing.

    --
    Personal Website
  2. No more buffer overflows with Java!! by Anonymous Coward · · Score: 1, Interesting

    Stack corruption? Sounds like a buffer overflow problem. If only they used Java!

  3. Re:dang! by GSloop · · Score: 4, Interesting

    I'm getting really sick of hearing...

    "Just run Windows Update. It's easy!"
    "Just run apt-get It's easy!"

    I'd like to quit running updates every 15 seconds or so.

    I'd prefer it was right the first time. I'm getting really tired of patching machines all over the place. I'm turning into a patch money. Test, patch, test, patch, test, patch - with an occasional sleep and eat thrown in occasionally.

    No matter how easy Windows update is, it still has to get done. If MS does it for you, you'll worry about them breaking stuff. If you have to do it yourself, you worry you'll miss something, or break it yourself. Frankly, that sucks.

    Cheers,
    Greg

  4. Redhat 6.2 updates? by whoever57 · · Score: 2, Interesting

    Anyone got any suggestions where I can find updated rpms for a RH6.2 machine?

    Other than compiling from source, that is. Or upgrading to a supported distro! I'm hoping to put off that day!

    --
    The real "Libtards" are the Libertarians!
  5. Re:Why is some software more secure than others? by cras · · Score: 2, Interesting

    I think I'll have to change the wording some more. Complex things require complex code, that's fine. If there's a security hole because the behaviour was wrong in some case, it's understandable.

    What I especially don't like is that the same old buffer overflow and other memory allocation related problems come up over and over again. The 1. problem in this case was a double-free() bug. Although this is the most difficult C-related problem to solve easily (without garbage collector), with cleaner code it likely wouldn't have gone there in the first place. If you can easily see where the memory is allocated and deallocated, it's hard to screw up.

  6. Re:already patched by Michalson · · Score: 2, Interesting

    Perhaps they announce the bugs just after Microsoft does in hopes that the OSS community will still be bashing the "M$ is teh suc" drum loud enough that they won't notice yet another exploit (BTW, has buggy Outlook been able to beat Mozilla's "run arbitary code just by *connecting* to a POP mail server" exploit yet?)

  7. Re:Lazy admin and Auto-Update by Elwood+P+Dowd · · Score: 2, Interesting

    Also important is ease of updates for those of us that are semi-diligent.

    For example, the two latest RPC patches (blaster and successor) have been mildly annoying to install. Sure, you just run MS's update tool, but I've found that about 20% of machines still read unpatched according to MS's security auditing tool. This makes it kindof a pain to ensure compliance.

    After reapplying the patch six or seven times to some machines, our network is safe. That's kindof lame.

    Similarly, the patch that would have prevented SQL Slammer was a collossal pain in the ass to install. Fortunately, we don't have any laptop users with SQL Server, so there was no potential infection vector on our network, and we had plenty of time to patch.

    Deploying all the different Office VB patches is looking prohibitively difficult to me. It hasn't been exploited yet by a worm, but when it does... shit. I hope our AV is up to the task.

    I guess MS Software Update Server is an absolute necessity. No two ways about it. Weird how it doesn't get more discussion.

    Almost always, apt-get upgrade is cake. I'm just concerned about those times it breaks. Hopefully it can always be repaired manually. I've definitely run into snags with apt-get that were beyong my ability to repair. It was on a toy machine, so it might have had an unusual configuration, and it wasn't consequential.

    Whether we're diligent or not, if patches are difficult enough it barely matters that the patch was released at all, in terms of worldwide impact.

    --

    There are no trails. There are no trees out here.
  8. oh please... by Ender+Ryan · · Score: 1, Interesting
    How many IE and IIS holes went unpatched for months. And how many of the holes found in the past 12 months were found by kids, without even access to the source... *rolls eyes* Windows is absolute garbage when it comes to security. There is no comparison.

    The holes in OSS software are usually holes found by code audits done by people who know what they're doing. And said holes are often only theoretical, ie. many of them aren't exploitable.

    --
    Sticking feathers up your butt does not make you a chicken - Tyler Durden
  9. Re:Got the popcorn by Anonymous Coward · · Score: 2, Interesting

    Let's get the Microsoft flamefest started!

    Flamebait? More like the truth. Take a look at the rest of the posts in this story, especially the ones modded to 4 and 5. Microsoft flames, all.

  10. Re:phew by DickBreath · · Score: 2, Interesting

    Guess you would be really screwed if you used openssl on windows eh?

    If you were, would you even know it?

    If an open source program falls in a binary only forrest, does it make a sound?

    --

    I'll see your senator, and I'll raise you two judges.
  11. Re:Why is some software more secure than others? by njchick · · Score: 2, Interesting
    In this case the failures were mostly in the error handling, and any developer knows that this tends to be the hardest part of your program to get right. Not only are there a lot more ways things can fail than go right, but they can fail in many more places in your code and it is very difficult to make sure your program can recover gracefully from everywhere something might go wrong.
    I always wanted to have better support for error handling in C. Programmers should not be forced to handle errors by nested if's, "goto error" and wrapper functions that do nothing but check the result of another function and do cleanup. But please don't offer me C++ or Java. If OpenSSL is written in C, that's for a reason. Compatibility with all other libraries, relative independence from the compiler, native speed - those reasons cannot be ignored. If C is good to write secure software in it, I want exception handling in C.
  12. Re:Why is some software more secure than others? by Hard_Code · · Score: 2, Interesting

    What about Cyclone?

    It seems like a good step forward.

    --

    It's 10 PM. Do you know if you're un-American?
  13. Re:Open Source Code Quality by Anonymous Coward · · Score: 1, Interesting

    This means that user processes can steal resources and cause any number of root processes to die, just because they made a function call that required a larger stack.

    Actually, the kernel will kill the offending user process. It's been part of the VM code since at least 2.0.x.

  14. Its good to see.... by 222 · · Score: 2, Interesting

    that the software we take for granted every day is being given such stiff auditing. I mean, sure it sucks to patch so often, but honestly, wouldnt you rather read this and patch before some jackass releases a public exploit, and every 15 year old that cant find something better to do decides to take down a production box?