Multiple Vulnerabilities in OpenSSL

gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."

Non-Exploitable Security DOS Exploit

[jstockdale]

News at 11

Honestly people, is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago, and a fixed version of OpenSSL is already available.

CVSup; make buildworld && make installworld

Problem solved.

Re:Non-Exploitable Security DOS Exploit

[BlueCodeWarrior]

For those of us not on the FreeBSD mailing list, it is.

Re:Non-Exploitable Security DOS Exploit

[Canberra+Bob]

Yes, but *BSD takes security in general a lot more seriously.

Rather than racing around trying to be all things to all people, the *BSD developers concentrate on what they are good at: developing a darn good server OS.

For your average Linux user, this will be treated as a nuisance that interrupts them trying to get the latest unstable kernel compiled, for your average *BSD user, this is important stuff that affects the security of their IT infrastructure.

Re:Non-Exploitable Security DOS Exploit

[stratjakt]

It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.

cvs, make and build sure.. But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.

Re:Non-Exploitable Security DOS Exploit

[MobyTurbo]

Honestly people, is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago, and a fixed version of OpenSSL is already available.

Slackware Linux also has this fixed. Incidentally, like the parent's subject line says, this is a minor vulnerability that at the most makes openssl crash, not an exploit or a trojan like all the stuff we've been seeing about Windows on /. lately.

Re:Non-Exploitable Security DOS Exploit

[KidSock]

...is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago.

Yes. Most of us are not on the FreeBSD mailing list. Instead we wait for the more mainstream outlets like ./ to report the problem. Also it's good to wait about 36 hours or so for the fix to go through the motions as the sudden intrest rattles free other problems.

Re:Non-Exploitable Security DOS Exploit

[ewhac]

CVSup; make buildworld && make installworld

For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it? It also glosses over insignificant little details, such as:

• How do you set up your supfile?
• Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?
• Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports? (E.g. I'm using postfix, thankyouverymuch, and don't want sendmail to reappear.)

Dumb questions I'm sure, but the answers have never been revealed in a form I can understand.

Schwab

Re:Non-Exploitable Security DOS Exploit

Wow, aren't we pretentious and elite today? I could just as easily say that the average Linux user just waits for cron-apt or something similar to pull in the fixed packages when they are made available by their distribution, which is a far more realistic claim, yet equally as handwaving and vacuous as the one you made.

Get a life.

Re:Non-Exploitable Security DOS Exploit

How do you set up your supfile?

Copy it from /usr/share/examples/ (it's somewhere in there, I think, my FreeBSD box isn't running at the moment, I've poached some of its hardware).

Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?

That's a fine question indeed. What I do is:

make DESTDIR=/usr/local/fake_root distrib-dirs distribution

make DESTDIR=/usr/local/fake_root installworld

make DESTDIR=/usr/local/fake_root installkernel KERNCONF=foobar

Then you can compare the contents of /usr/local/fake_root and stuff in /. I like find and sort and vimdiff to do that. It's not super elegant, but you don't have to do it too often if you're tracking something like RELENG_4_9, since rarely do things get updated. What you would use it for is when you make changes to the base, which leads me to:

Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports?

Yes! But you can get around it. In /etc/make.conf, do:

NO_SENDMAIL=true

Now sendmail won't be built, although its stale files will hang around; refer to point 2 above.

You'll also, in rc.conf, want:

sendmail_enable="YES"

sendmail_flags="-bd"

sendmail_outbound_enable="NO"

sendmail_submit_enable="NO"

sendmail_msp_queue_enable="NO"

At least for Postfix, which you say you use.

Re:Non-Exploitable Security DOS Exploit

[dasmegabyte]

Really?

What I do is "emerge -u openssl."

For me it seems easier, but what the hell do I know.

Re:Non-Exploitable Security DOS Exploit

[sublimespot]

Agreed. I updated my servers over 24 hours ago

Re:Non-Exploitable Security DOS Exploit

You're such a dork.

Re:Non-Exploitable Security DOS Exploit

[Sivar]

You have a good point, as using Windows Update is easier (or at least as easy) as any GNU/Linux update method, and can be made automatic very easily (like some GNU/Linux update methods).
One noteworthy difference, however, is that none of the BSD or GNU/Linux update methods tell the vendor the software (and their versions) that you run. To their credit, at least, none of them (including Microsoft) collect any actual personally identifiable information.

Re:Non-Exploitable Security DOS Exploit

[Electrum]

For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it?

First, RTFM:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/h andbook/cutting-edge.html
http://www.freebsd.org/doc/en_US.ISO8859-1/books/h andbook/makeworld.html

I run 4-STABLE on all of my boxes, so this will be a bit different for 5. Create /etc/make.conf. You can look at /etc/defaults/make.conf and in the handbook for more details:

CFLAGS=-O -pipe
NOPROFILE=true
NO_BIND=true
NO_SENDMAIL=t rue

SUPHOST=cvsupXX.freebsd.org
SUP_UPDATE=yes
SUP =/usr/local/bin/cvsup
SUPFLAGS=-g -L2
SUPFILE=/usr/share/examples/cvsup/stable-supf ile
PORTSSUPFILE=/usr/share/examples/cvsup/ports- supfi le

Replace SUPHOST with your CVSup mirror. See the handbook for more info. The NO_BIND and NO_SENDMAIL lines keep buildworld from building BIND and Sendmail, respectively, since I use djbdns and qmail.

Once you have setup /etc/make.conf, you can update the source tree by doing this:

# cd /usr/src
# make update

That will also update /usr/ports. If you want to just update ports, run make update from /usr/ports.

Once your source tree is up to date, update the system following section 21.4.1 in the handbook. I skip the single user mode part, since I do everything over SSH:

# mergemaster -p
# rm -rf /usr/obj/*
# make -j4 buildworld
# make -j4 buildkernel
# make installkernel
# make installworld
# mergemaster -i
# reboot

The order there is important. The kernel should be built after the world is built, since building the world updates the build tools (this is especially important when it has been a long time since you last updated). The kernel should also be installed before the world is installed.

You should almost always update the kernel when you update the world. If you choose not to reboot immediately after installing the new world, you might notice that tools like ps no longer work, since they don't match the kernel.

These is how I do things after several years of experience. Make sure to read and understand the handbook before doing anything. But really, it's not that hard, especially after you do it a few times.

An unrelated but very useful tip: check out the sysutils/portupgrade port.

Re:Non-Exploitable Security DOS Exploit

[hattig]

Well I'm now trying it out on my FreeBSD 5.2.1 machine ... nasty pink GUI.

I copied standard-cvsup file and changed the *host= setting inside. I also had to configure in /etc/hosts my own machine's IP address and hostname - a hint that I should configure a nameserver at home at some point again.

I've done this before and it all went wrong. I followed instructions in the handbook (useless!) and given on comp.sys.bsd.freebsd.misc ... bah. The handbook should have a section: "Upgrading the base system reliably and simply" with a set of instructions to do it. No referencing other parts of the handbook that no longer exist or are out of date.

I don't understand why I should have to rebuild the kernel and everything in order to upgrade a single component of the base FreeBSD distribution, in this case - OpenSSL.

Re:Non-Exploitable Security DOS Exploit

[idiotnot]

Another trolling gentoo user...gotta love it.

cvsup....

cd /usr/src/crypto/openssl
make
make install

Re:Non-Exploitable Security DOS Exploit

Instead we wait for the more mainstream outlets like ./ to report the problem.

If you have time to waste on slashcrap, you have time to keep abreast of things that affect your OS.

Most of the comments here are a total waste of time.

Like this one ;-)

Re:Non-Exploitable Security DOS Exploit

For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it? It also glosses over insignificant little details, such as:
How do you set up your supfile?
Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?
Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports? (E.g. I'm using postfix, thankyouverymuch, and don't want sendmail to reappear.)

Dumb questions I'm sure, but the answers have never been revealed in a form I can understand.

These are not dumb questions but they should be addressed to freebsd-questions mailing list where you will get good answers.

The FreeBSD Handbook contains all the information that you need, but if you are still unsure please ask questions.

Another good place to check is the freebsd mailing list archives. It is a gold mine of information for about every problem imaginable. Chances are, if you have a question, its been asked and answered before!

Good Luck!

Re:Non-Exploitable Security DOS Exploit

[SnowZero]

But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.

Well, Windows Update pretty much always insists on rebooting the machine, which is irritating to some users (i.e. power users). On *nix this only needs to be done for (fairly rare) kernel exploits and not simple library/program updates.

Re:Non-Exploitable Security DOS Exploit

[NightSpots]

Never used RHN, have you?

First thing it does is `rpm -qa` and sends that list right to RedHat.

It's really hard to know what updates to provide without seeing a list of software packages installed. Sure, they could differentiate between "Our" software and "Other" software in the list of installed programs, but that's just silly - send the whole list, and ignore the stuff you don't care about.

Re:Non-Exploitable Security DOS Exploit

[Anime_Fan]

So you honestly believe that Microsoft forwards flaws detected in software to its vendor?
Without charging huge ammounts of cash for forwarding said information. My bet is that nvidia pays huge ammounts to see its flaws in GFX drivers.

Re:Non-Exploitable Security DOS Exploit

[WasterDave]

Yeah, quite. It was this very shitfight that had me over to Debian about two years back.

Haven't looked back since.

Dave

Re:Non-Exploitable Security DOS Exploit

[cperciva]

CVSup; make buildworld && make installworld

For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it?

If you're intimidated by buildworld, there's an easier option:
# freebsd-update fetch
# freebsd-update install

Re:Non-Exploitable Security DOS Exploit

[netdudeuk]

Yes, but the thing is, if it's a MS vulnerability then everyone needs it on the front page even though most here want nothing to do with their software. Surely this is the most relevant in terms of people being able to react to an issue if they don't already know ?

Re:Non-Exploitable Security DOS Exploit

[gad_zuki!]

>Honestly people, is this really /. front page news?

Yes, lets just wait till some kiddie write a worm that crashes thousands servers all over the world and then post about it.

I like that slashdot posts security problems. Why?

1. For the lazy admin. Theres lot of them.

2. because its important to keep reinforcing the idea that computers suck (I dont care what OS you like) and need constant care.

Re:Non-Exploitable Security DOS Exploit

> It's really hard to know what updates to provide
> without seeing a list of software packages installed

But to do sending all the user data to the server and having the server calculate things is very inefficent - what's more likely is that it *down*loads a list of packages, and checks for updates at the client end.

Re:Non-Exploitable Security DOS Exploit

[lambsonic]

Actually, to build, you apparently need to be in /usr/source/secure

That is what /usr/src/crypto/README told me.

At least, that is the way it is on 4-stable.

Re:Non-Exploitable Security DOS Exploit

[hattig]

I had to add a user "proxy" and the groups "proxy" and "authpf" in order to get make installworld to work.

They weren't configured by the standard install (5.2.1), yet were required for the installworld procedure. I think it has something to do with PF.

Re:Non-Exploitable Security DOS Exploit

[UberLord]

It's really hard to know what updates to provide without seeing a list of software packages installed

That's the nice thing about Gentoo. I recieve the full software tree everything I emerge sync so only *I* know what I have installed.

Re:Non-Exploitable Security DOS Exploit

freebsd-update fetch && freebsd-update install

done and done

Re:Non-Exploitable Security DOS Exploit

[alex_tibbles]

none of them (including Microsoft) collect any actual personally identifiable information.
I thought that they backed off from that commitment. It was definitely well touted in the early days of Windows Update "this program will never send information that is personally identifiable". But they seem to have changed their mind.

Re:Non-Exploitable Security DOS Exploit

[Short+Circuit]

Your average Linux user doesn't even touch the kernel. They find it tedious. Most people I know don't even update individual packages...they'll just be downloading Fedora Core 2 when it comes out.

Personally, I do like upgrading my own kernel to the latest in the stable series. The only unstable kernels I've run were 2.6.0pre3 and 2.6.0pre11. I didn't set 2.6.anything as my default kernel until I 2.6.0.

Re:Non-Exploitable Security DOS Exploit

[4of12]

1. For the lazy admin. Theres lot of them.

[Raises hand.]

I know security is important, but I know time is finite.

Slashdot stories like these are kind of like

$ grep important bugtraq freshmeat

Sure you could monitor the raw feeds and find out earlier and in greater detail, but that takes time and attention away from other stuff.

Re:Non-Exploitable Security DOS Exploit

[Some+Dumbass...]

For those of us not on the FreeBSD mailing list, it is.

Incorrect. RedHat had a patch two days ago, Mandrake at least a day ago. I use both. I'm not on the FreeBSD mailing list and I knew about this. :)

My point, and I think the grandparent post's point, being that the news is already "out there". It's three days old at this point. Okay, so maybe it's still news to some people, but saying that it's old news is also accurate.

Re:Non-Exploitable Security DOS Exploit

You should spend less timme watching animme and mmore timme practicing your spelling.

Re:Non-Exploitable Security DOS Exploit

[innerweb]

It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.

Hmmm... I must not be reading the right pubs, or at least not enough of them. Never have seen many (if any) trivial issues on MS. They always get buried behind "fixes an exploit blah blah blah". If they published all the minor ones as well, they would need a monthly circ just for that. Come to think of it, MS does have one - you just have to a pay an additional fee, or visit the website daily.

FYI - I do believe the programmers at MS are capable of putting out much better code than what the corp climate allows them to. I know several, and I know their private life code is much better than their MS life code. They have to follow the work rules to.

I could care less about anything on MS or linux that impacts neither productivity nor security. The problem has been that most of the stuff I have read about impacts one or the other. There are many many more patches for MS and linux than what makes any "story line".

Now, the recent vulnerability in linux that had been sitting around since early versions of 2, that was news that needed coverage. And the almost weekly news of major MS exploits (let alone the daily waste of dollars on MS crashes) is incredibly persistent news.

However, I will probably patch this as well on the next patch day, after I have tested it on a safe system and made sure it breaks nothing I have running.

InnerWeb

Re:Non-Exploitable Security DOS Exploit

[Nicolas+Pillot]

Yeah, it's not new. But given the fact that OpenSSL is the basic of most security/cryptography packages, it is wise to give the largest number of people the news that they should update. And i think it is no mistake to say slashdot IS popular.

I do not read dozens of lists, and my primary sources are slashdot, cnn, lemonde and one or two others. If i had not seen the news on slashdot, i wouldn't be aware of it, until i eventualy ran mandrake update. Ok it seems like it is non-exploitable, but it should be known though.

Re:Non-Exploitable Security DOS Exploit

[cloudmaster]

Unless you check the box that says not to do that. You're the one responsible for all of those wornms, aren't you? "I'll just click OK on this box without reading what it says". :)

Re:Non-Exploitable Security DOS Exploit

[Dwonis]

You have a good point, as using Windows Update is easier (or at least as easy) as any GNU/Linux update method, and can be made automatic very easily (like some GNU/Linux update methods).

Windows Update consists of at least 4 click-then-wait-a-while cycles before your software is updated, and several packages must be installed separately (MSIE, service packs, DirectX, etc). On Debian, at least, you can run one command (apt-get update && apt-get -y upgrade) that will often complete the entire upgrade process, without reboots, etc.

Also, apt-get will upgrade third-party software. Windows Update does not.

Re:Non-Exploitable Security DOS Exploit

[tommck]

Oh... that's MUCH easier than Windows Update. Can't wait for my mom to try doing this...
</asbestos suit>

Re:Non-Exploitable Security DOS Exploit

[justsomebody]

And guess what, you probably tried Linux, back in the days of pre1.0 kernels. Yes, I agree, in that times update was a real pain in the ass.

For your information, a lot of time has passed from that time for the rest of the world.

Debian: apt-get update
Fedora: yum update or click little red icon that flashes in your left corner
Redhat: click little red icon that flashes in your left corner
(others can provide info for other distros)

btw. if writing "su -" [pwd] "yum update" is too hard for you,... well just make a launcher "sudo -u root yum update" or if you have sudo disabled for some users "ssh -l root localhost yum update" (btw. select to run in terminal), and from there click, "y", "Enter" "you can go to the pub because work is already finished. Now please can you specify correctly Windows update, how easy it is, with all the clicks and restarts

Let me imagine how many clicks do I need to select Windows updates to the point of installing, and do forget occasional restart

Re:Non-Exploitable Security DOS Exploit

[unfies]

..

This is what happens for anon updates:

Update Source >> This is the latest program for checking for updates

Update Program > Here's that list.

Update Program > Agree to these licenses first...

Re:Non-Exploitable Security DOS Exploit

[damiam]

It's really hard to know what updates to provide without seeing a list of software packages installed.

Debian works just fine the other way - instead of uploading a list of installed packages, you download a list of available packages, and apt picks locally what to upgrade. There's no privacy loss involved.

3 actually

[chrisopherpace]

According to this link
Here
There are three vulnerabilities.
This was, like, sooo yesterday on the Bugtraq lists ;)

Re:3 actually

Let me summarize this whole thread so we don't waste anytime:

Microsoft fans - "see, Linux/FOSS have security issues too"

Linux fans - "yeah, but we fixed this right away. If this was Microsoft, we would have been waiting for months"

Repeat again and again..

Netx topic please..

Re:3 actually

[Siva]

true, but one was in an older-than-current version. not to say it shouldn't be noted, of course...

Re:3 actually

[chrisopherpace]

Not to troll, but OpenSSL is not Linux, and Linux is not OpenSSL.

Re:3 actually

[smittyoneeach]

You're flying too low to see the us/them dichotomy going on, boss.

Re:3 actually

hate to troll either but all the Microsoft fans on slashdot are Microsoft Employees. I know this because I am one. I am too ashamed to admit it in public but hay, the pay is great.

Re:3 actually

It pays well to be a whore...

Re:3 actually

[fermion]

Anyway we all know the problem isn't MS, the problem is C. It is such a 1970 type of language. Back when programmers were randomly jumping from place to place, casting memory as whatever type of data pleased them, recasting the data in function calls, copying blocks of data without a care of whether the blocks really existed, and, in this case, assigning NULL pointers all willy nilly. I mean really. No programmer educated in the past 15 years actually has the skill to remember that the void pointer pointer which in the last call has the value of the beginning of a three dimensional array, now points to the beginning of four dimensional array, which, of course, is complicated by the fact that such beasts only exist in the mind of the programmer, and not in any specific language construct, pointer math being one of those fictional things beat into the heads of the unfortunate programmers trained 20 years ago. And let's not even talk about the infinite loop idiom.

Anyway, we need to rewrite the entire thing in the elegant languages of the 21st century. I suggest this

Re:3 actually

[myowntrueself]

I've often thought that refactoring the Linux kernel in Haskell would be rather nice.

C is the devils tool.

Re:3 actually

[beelsebob]

Hmm, problem is that people have been sugesting we stop using languages like C for years, and yet we still do! We need to encourage new learners to try things like functional programming FIRST so that people don't get stuck into a rut of their way of doing things.

I agree C just doesn't cut it these days - I'd recomend something more like Haskell, or if you REALLY don't want to try the paradigm switch then Java.

Bob

Re:3 actually

[AigariusDebian]

To fly even lower, the last time the OpenSSL had bugs, Microsoft also had to release a security fix for their software IIRC.

Re:3 actually

[JUSTONEMORELATTE]

Damn, do I ever feel old right now.
I understand pointer math. I know how to use (and indeed, have used) 4-dimentional arrays of complex data types, and I've written an infinite loop intentionally (the trick is to use an external event to change the otherwise-infinite boundry condition)
The fun one is taking a pointer to a one-character array, then when you know what size your objects are going to be, cast the pointer to a pointer of the correct size, then do pointer math on a big chunk of memory to build an array of the new objects.
Once, this was considered "being a good programmer."
Now, if someone working with me tried any of this crap, I'd push them down a stairwell.

Re:3 actually

[mewsenews]

hmm.. nice play, shakespeare.

Re:3 actually

[Ben+Hutchings]

In this case, no, the problem isn't C. The bugs all involve dereferencing a null pointer, which will kill a Java program just as surely as it will call a C program. (Yes, you can catch NullPointerException in Java; you can also handle SIGSEGV in C. That doesn't mean you can provide a useful recovery path from such an unexpected event.)

Re:3 actually

[multipartmixed]

> The fun one is taking a pointer to a one-character
> array, then when you know what size your objects
> are going to be, cast the pointer to a pointer of
> the correct size, then do pointer math on a big
> chunk of memory to build an array of the new
> objects.

This is still a useful technique -- at least in a common variant -- where you place a one-character [portable] or zero-character [GNU] array at the end of a structure, then cast the data you've been presented with to this struct..

Of course, if you're smart, you only write the code like that *once* (or maybe twice: read and write) and abstract away its use somehow.

i.e. this contrived example in GNU C:

typedef struct sdata
{
uint_16_t field_one;
uint_16_t field_two;
uint_32_t dataLen;
char data[0];
} data_t __attribute__((packed, aligned));

data_t *myData;

myData = mmap(a big hunk of file);
myData.dataLen = ntohl(dataLen);
printf("The last byte of data is 0x%02x", myData.data[dataLen - 1]); ...I suppose we could just read the bytes off the disk individually, malloc() enough ram to hold the data and read that in in a separate read call... but that would just plain suck, both from a code and performance point of view.

The example is obviously contrived, but is real-worldish. And sometimes, you don't have the luxury of seeking around a disk file as an alternative, you may be reading data from an I/O device or something similar. And, of course, there is no reason for data[] to be a char, it could just as easily by a four-dimensional array of fixed sized structures.

Re:3 actually

Actually, the idea to get a bonk and get paid for it is quite appealing. Just need to select clients.

Re:3 actually

"union" is the devil.

Re:3 actually

[sharkey]

Anyway we all know the problem isn't MS, the problem is C.

Well, what do you expect, given its history.

Re:3 actually

Yeah, but a NullPointerException in Java doesn't give someone control over your computer. C should just go away already (except for device drivers). People like to blame Windows for all of the security flaws out there, but C and C++ are at the root of most security evils. Once the VM is loaded, Java is a lot faster and more efficient than most people on ./ give it credit for. The typical slashdotter would use punch cards if he still could (perhaps not so bad for voting machines). With today's fast machines, there's hardly any reason for using such low-level languages anymore.

Re:3 actually

• Competently written C is better and faster than practically anything else that needs to be compiled
• Competently written C is prohibitively expensive even if one can find someone with the ability to grasp the concepts
• C++ tries to introduce structures that allow more leeway for the programmer
• Most other languages assume the programmer is an idiot, and only allows access to basic control structures and high levels API
• This is in fact a good thing
• This comes at a significant performance hit, but it makes the process cheaper and more reliable.
• In all honestly, I think many people program in C and C++ just show off. Most of them should save themselves some grief and find some other way to front, especially if the have not read and thoroughly understood the base texts, and I do not mean the o'rieily crap.

Re:3 actually

[Mandrake]

segmentation faults do not equate to giving someone control over your computer. loading data segments as code segments does. I know, I've been trolled, but I couldn't help it.

Let's be like M$...

[barfarf]

I think we should be like Microsoft and not tell anyone about it until it's already patched.

... oh, wait....

Re:Let's be like M$...

[Trejkaz]

But remember, according to Microsoft the exploits can't exist until after the patch is released anyway.

Re:Let's be like M$...

[thedillybar]

They didn't tell anyone until a patch was available. Note that the vulnerability was announced Wednesday, and it included a link for the patch (openssl-0.9.7d) when it was released.

It's fairly reasonable to assume that the developers knew of the vulnerability some time before the new version became available.

I think it's good practice to do this if you can develop the new version fast enough. Announcing it early is only inviting someone to exploit it. I doubt anyone will fix the vulnerability themselves and put it into production before the official release comes out.

Re:Let's be like M$...

Let's be like M$

Dear Slashdot,

Please add "M$" to the Lameness Filter.

Thanks,

-Mature Members of Slashdot Community

Re:Let's be like M$...

Dear Slashdot,

Please don't listen to people too cowardly to use their real account.

Thanks,

-Minister for Irony

Re:Let's be like M$...

boo, hiss.

Re:Let's be like M$...

[webtre]

Dear AC,

Stop your anonymous trolling.

Fuck you,

-Webtre

Re:Let's be like M$...

The hilarious thing about your post is, some people will seriously agree with what you said.

Re:Let's be like M$...

Boy, Microsoft has been creating a LOT of exploits! Someone should sue them for all those exploits!

Re:Let's be like M$...

Or the compiled binary & a platform to run it on.

Re:Let's be like M$...

The quote was viruses don't exist for the exploits until it's publically available. NOT the exploits don't exist. And we wonder why people can't patch their machines when reading is such a hard thing...

They can only cause my servers to crash

which they do regularly anyway, thanks to cheap-ass Fry's RAM, ECS motherboards that cost $19.95, and republican style electricity service.

I'll update when I feel like it.

Uhh

A good admin doesnt need /. to tell them that their OpenSSL is vulnerable.

Re:Uhh

And a dog doesn't need slashdot to tell him where the nearest bone is buried.

Point being: slashdot isn't news for good admins. It's news for nerds that are hopelessly wrapped up in battle between Open Source and the evil Micro$haft corporation that they fabricated to bring some drama to their dreary lives.

Hellooooo -1 country!

Re:Uhh

[danidude]

A good admin doesnt need /. to tell them that their OpenSSL is vulnerable.

I think the point isn't to be told about the vulnerability, since good admins read security/relevant lists that are the appropriate place to be informed quick of such things.

I think the point of this news is to discuss about this vulnerability.

Re:Uhh

[Homology]

I think the point isn't to be told about the vulnerability, since good admins read security/relevant lists that are the appropriate place to be informed quick of such things.

I think the point of this news is to discuss about this vulnerability.

If one really want to discuss this, then there are other forums/mailinglists that are better suited. Even though many Slashdotters actually know what they talk about when posting, they are drowned by the noise from the unwashed masses.

Actual Threat?

Already updated, but (w/o Kerberos) could this actually lead to anything more than the crashing of sshd and httpd child processes (assuming that's all one's using OpenSSL for)?

Re:Actual Threat?

[$0+31337]

Well I suppose that the answer is no considering that the CERT Advisory, OpenSSL site, Other numerous sites say "This can lead to a DoS attack" and don't mention anything else. RTFA.

Re:Actual Threat?

Right. My point is, if the parent process lives on and can continue to spawn children for valid requests, is this DoS actually not much more destructive (with the possible exception of disk space for core files) than someone making "unneeded" connections?

Re:Actual Threat?

[$0+31337]

One of the problems is that a remote attacker could cause an infinite loop which would hang the parent process so yes, this could be a problem.

before the trolls start...

[contrasutra]

Please don't comment "so I guess Windows isn't so insecure, is it...". We always seem to get a few of these. OpenSSL/OpenBSD has a VERY good security track record. Is a vulnerability a problem? Yes, but when MS has OpenBSD's track record, you can compare.

Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.

Oh well, sometimes you just have to combat the trolls.

Re:before the trolls start...

[Trejkaz]

In particular, if you were running OpenSSH on Windows, which still depends on OpenSSL, then you are still in trouble. This isn't an OS security problem, it's a library security problem.

Re:before the trolls start...

[DeputySpade]

Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.

Um... Yeah. Because this is where I go for all the breaking news in the HP-UX or AIX world, right? Sorry. Half the crowd is pro-windows biased, half the crowd is anti-windows biased and half the crowd lies by saying they aren't biased either way. You only hear about the OSs that make for a good holy war on /. because if you don't have a bunch of biased zealots running around screaming, what fun is it? That means you will only ever hear about windows problems from the anti-windows dorks, and the most common Open Source operating systems' problems from the pro-windows dorks.

Don't kid yourself into believing that /. a) is unbiased, or b) reports on the full set of "stuff that matters".

Re:before the trolls start...

And indeed, it looks like this story was submitted by a Pro-Windows dork.

Re:before the trolls start...

[doomy]

Yes, but when MS has OpenBSD's track record, you can compare.

This just out from MSFT:

Only one remote hole in Windows XP, since yesterday.

Re:before the trolls start...

[mrtroy]

Half the crowd is pro-windows biased, half the crowd is anti-windows biased and half the crowd lies by saying they aren't biased either way.

150% of the crowd cannot even use correct percentages, and make subjective opinions on matters they know nothing about :)

But keep on trucking...you hit quite a few good catchphrases, including but not limited to: pro-windows *3, anti-windows *2, OS *2, zealot, dorks*2, open source, /. * 2, bias *3

Re:before the trolls start...

[thebatlab]

Not that I entirely agree with him (and not that I don't ;)) but his math is just fine . 100% are biased in some direction, 50% don't admit it. Works by my account.

Re:before the trolls start...

Because someone can't be biased and not admit it?

Re:before the trolls start...

[Tuzanor]

Just to clarify, OpenSSL does not have that great of a security record. In fact a large percentage of the OpenBSD advisories have something to do with it. Theo has been seriously considering forking the project (the OpenBSD team does NOT do OpenSSL).

Re:before the trolls start...

[barfarf]

Half the crowd is pro-windows biased, half the crowd is anti-windows biased and half the crowd lies by saying they aren't biased either way.

But... but... I'm NOT biased. I hate ALL OSes equally...

Re:before the trolls start...

Call us when you get OpenBSD running on an 8088. It's pretty easy to be secure if your legacy code came after hardware memory protection was available.

Re:before the trolls start...

Does it hurt to be that stupid? How about being that stupid publicly? Is that any worse of a feeling, or does it feel about the same?

Or are you just too stupid to realize how stupid you actually are?

Re:before the trolls start...

[gglaze]

I'm glad to see someone posted that - that's exactly how I read it.

Re:before the trolls start...

[kasperd]

In particular, if you were running OpenSSH on Windows, which still depends on OpenSSL, then you are still in trouble.

Is OpenSSH affected by this problem? AFAIK SSH doesn't use the SSL protocol. So if SSH just use the cryptographic primitives from OpenSSL, and the vulnurability was in another part of the code, how could SSH be affected?

Re:before the trolls start...

[nestler]

OpenSSH is not affected by these problems on any platform. OpenSSH uses only the crypto part of OpenSSL (not the SSL stack). These bugs are in the SSL stack.

Bullshit...

Everything is fine, firewall is quiet, and I dont think a single box wiL#%*#AT+H+H[NO CARRIER]

Re:Patch updates are NOT news

[pompousjerk]

I'm betting that there are a large number of sysadmins who pay more attention to /. than they do to keeping systems up to date.

Re:Why Is This Happening?

because it's more complicated code than "hello, world!"

They are if you just got hacked...

[jarich]

I have a friend who left his ssh server up overnight on a brand new mandrake box... (I know, he shouldn't have, but he did).

Next morning, box his linux and windows box had been compromised.

Slashdot is a great forum for this type of critical patch. Gets the news out very quickly to people who dont read the security sites everyday.

Re:They are if you just got hacked...

[stratjakt]

why should you not leave ssh up? it insecure or something?

Re:They are if you just got hacked...

yes. well, openssh is..

Re:They are if you just got hacked...

Umm yeah, seeing as it uses OpenSSL. Fuckwit. Don't get smart next time.

Re:They are if you just got hacked...

[Bikini+Kill]

Is your friend 100% positive that this vulnerability is to blame? All the reports say that it is a Denial of Service vulnerability rather than one that allows execution of arbitrary code...

Re:They are if you just got hacked...

openssl != openssh

Re:They are if you just got hacked...

[jarich]

He doesn't know what was to blame... he only had Apache and SSH open though.

Re:They are if you just got hacked...

[jarich]

Leaving up a service you don't need is not a smart thing to do. My friend didn't need SSH up anymore (he had temporarily) but he thought there was no reason to take it down, so he left the port open on his router.

Next morning, things were hosed. :(

The moral is if you need SSH, FTP or any other service up, keep one eye BugTraq... but slashdot posts a lot of the good ones for those of us who don't have time to read everything.

But, if you don't have a need for the service, shut down the port! NEVER leave up a port you don't need up. There are tons of script kiddies out there just trolling for an opening. If you don't belive me, just turn on the logging for your router and watch the probes go rolling by.

Re:They are if you just got hacked...

It puts the patches on the server, or else it gets the hose again.

Re:They are if you just got hacked...

could you be a little more specific.. i.e. versions of packages involved, or the version of the distro?

Re:They are if you just got hacked...

This vulnerability isn't an exploitable hole, just a DOS, shit-for-brains. Has nothing to do with the security holes in OpenSSH.

Re:They are if you just got hacked...

[NuShrike]

Had my OpenSSH online for years as most other people.. What's the problem?

Re:They are if you just got hacked...

Me thinks thou art full of rubbish. I've had SSH up on dozens of servers for anywhere from 2 to 5 years with no hacks. Keep'em patched and SSH is perfectly fine to leave hot.

Re:They are if you just got hacked...

[pyite]

Sounds like being an idiot is to blame. Seriously though, most people have SSH running all the time without tcp wrappers on it, either. Most people don't have issues with it. Your friend probably had weak passwords. Don't blame SSH when you admitted you do not know that SSH was the problem. Maybe you should see what actually did happen before spouting flamebait.

Re:They are if you just got hacked...

He was making a point about watching slashdot for patches instead of following numerous mailing lists shit for brains.

A DOS attack can be just as harmful to the right server as a exploit can. I'd guess you haven't patched your machine yet. What's your IP?

Re:They are if you just got hacked...

No where did he say this had to do with the most recent patch. If people would stop and READ what someone writes instead of getting all defensive when they see owned/exploited/security/linux in one sentence maybe people would start to take Linux users seriously.

Re:They are if you just got hacked...

[jarich]

If you keep it patched and up to date, you shouldn't have a problem. But that means (at a minimum) weekly, preferably daily via a script each night.

Most users don't know how to do updates on their systems... those are the folks who shouldn't leave it up and running.

You are aware of the recent (last 3 to 6 months) worth of exploits in this program, right? I'm not that familiar with the details, I think there was an exploit (recently) that let the attacker take over your box. This announcement was not of that magnitude, but it hasn't been that long.

Re:They are if you just got hacked...

[LilMikey]

So you have a Linux box and a Windows box sitting right next to each other. Ya'll get haxored and then blame the Linux box? Odd...

Did you put that Mandrake box in the DMZ or forward ports to it? What version of Mandrake? The worst this vuln does is DOS and crash. I installed Mandrake on my laptop a couple days ago and, since I use SSH, it's running 24/7 no problems. If I had to guess, I'd say it's somewhere between a thousand and a bazillion times more likely that, if the computers were haxored at all, it was the Windows box.

Were the boxes fuxored or just an 'I can't get to the internet' type of thing. When my Windows box got infected with MSBlast (gotta love Blast, don't have to do anything to get it!) it freaked out my router, maybe you're looking at something like that.

Re:Why Is This Happening?

Hey, SOMEONE found out about it. Har har har!

Because people aren't whipped and beaten enough to learn to stop making mistakes.

Re:Patch updates are NOT news

[Nasarius]

It's not that difficult these days. Set up a cron job to do "emerge sync && emerge -uD world" or the equivalent every 24 hours. No attention required.

Old news

[macdaddy]

I mean this is over a day old now. Why it took CERT so long to send the advisory I don't know.

Re:Old news

[hattmoward]

CERT (US-CERT) has been slower since USDOHS got on the scene. They've slowed quite a bit, but maybe they're doing a lot more behind-the-scenes work with organizing patches, releases, and the like.

Re:Old news

[macdaddy]

Yeah, that is a good point. I wish they'd told the USDOHS to stick it.

Re:old news

Hooray for 0-day p^7(HeZ.

Move along

[Dalcius]

Nothing really to see here folks. Both attacks crash the SSL server, so we're looking at DOS attacks and not 'holes'. This is certainly serious for the business who relies on it, but for home networks and casual use (which I'm sure is common among slashdotters) this is no sweat.

Nice to hear that they found the holes, though. :)

Re:Move along

[mabu]

Does this crash the SSL servers or merely tie them up? Anyone have any details? I assume this affects Apache with mod_SSL with an earlier version of OpenSSL, but can you disable Kerberos under Apache temporarily until the lib can be updated?

Re:Why Is This Happening?

[nathanhart]

Probally has something to do with many people being able to do code audits freely and of course submit their fix for it ;)

Re:new version of windows ...

Mod parent up. This is hilarious !!

Re:Why Is This Happening?

Probably because, as with homepages, weblogs, ammusing photoshops and 99% of everything else on the internet, the author is the only person that reads their work.

Just because it's open source doesn't mean anyone else is reading it!

For the love of god

Please let the 'no proble...[NO CARRIER]' joke die. It is less funny than recursive acronyms, number representation wackiness, or 'yet another' names for programs.

Okay, maybe not less funny - but just as unfunny.

Re:For the love of god

Joke nazi.

Re:For the love of god

[Des+Herriott]

Well, people still keep giving these posts a Funny moderation. Mind you, they're probably the same people who still think digital watches are a pretty neat idea.

(with apologies to Douglas Adams)

get on the security mailing list for your OS

I subscribe to debian-security-announce, and I got a msg about the openssl problem sometime last night (it was in my inbox this morning).
That's the fastest and most reliable way to keep up-to-date.

Re:Validate untrusted data!

This is exactly the reasons Bondage & Discipline Languages like Jave and C# exist. Every programmer wants to believe he is the alpha-type and so tries to make his code run the fastest, but doesn't want to do the less glorious work of validating pointers (perhaps encapsulated in a class if necessary for security products--something that C++ is actually good for), checking bounds, and documentation (one of the most overlooked and most important parts of an open source project--how useful is 1000 eyes if they don't understand what you are doing). Take away these difficulties, except documentation, and you minimize stupid programmer errors. Sure it doesn't run as fast, but thats hardly the prime design requirement for security software.

Re:Patch updates are NOT news

[Mr.+Ophidian+Jones]

Set up a cron job to do "emerge sync && emerge -uD world" or the equivalent every 24 hours. No attention required.

Until someone roots the Gentoo servers....

slashdot - soap opera for nerds

And I don't mean Simple Object Access Protocol...

RedHat 7.2/7.3 not supported, yet

[mcrbids]

As of the time of this writing, yum repositories for Fedora Legacy 7.2 have does *NOT* have these updates!!!

Re:RedHat 7.2/7.3 not supported, yet

If this is a production machine, why don't you update it yourself?

You can't afford to wait on a bunch of unpaid volunteers to get around to compiling the new package and packaging it into an RPM. They've got paid jobs, I imagine.

Re:RedHat 7.2/7.3 not supported, yet

[$0+31337]

wget http://www.openssl.org/source/openssl-0.9.7d.tar.g z

Decompress/configure/make/make install

If you can't compile source code then you shouldn't be a sysadmin.

Re:RedHat 7.2/7.3 not supported, yet

[mcrbids]

If you can't compile source code then you shouldn't be a sysadmin.

If you enjoy torturing yourself, compile everything from scratch. Once you've done this, you have to chase down every update in anything you ever compile for the duration of the life of the machine, as well as beat out any changed dependencies.

It's not as bad if/when you use a tool like checkinstall...

Re:RedHat 7.2/7.3 not supported, yet

[bangular]

....

Ummm... compiling software yourself has become torture? I guess the folks over at linux from scratch are sadists then.

Re:RedHat 7.2/7.3 not supported, yet

[mcrbids]

No, compiling software isn't torture.

Keeping track of every individual package on 20+ systems and their update status can be quite torturous.

Or, do you have no trouble keeping "the server" under your bed (that shares MP3s to your roomie down the hall) updated?

Re:RedHat 7.2/7.3 not supported, yet

[bangular]

Writing a bash script to download compile and install one package on 20 systems until your vendor releases a package isn't a huge deal.

Re:RedHat 7.2/7.3 not supported, yet

I'll chime in here to agree that circumventing the package system is non-trivial. Sure, you can build and install it from source, but my experience is that it usually takes several runs of configure && make && make install to get a working installation, especially if some packages are interdependent on other packages.

The packages supplied by a distro vendor usually include custom patches for a wide variety of bug fixes, and sometimes replacing these packages with stock code can lead to symbol resolving problems or other hassles. Sometimes the problems can be insidious, as 99% of your programs work fine, but others are silently corrupting your data, or simply don't work as they should.

In short, you need to test the installation, something that distro vendors can do for you and save a great amount of time. Just downloading source code off the Internet, compiling, and expecting it to work is fine for an enthusiast who isn't maintaining particularly critical data and has the luxury of debugging problems as they come up, but they're a much bigger pain for someone operating more than a toy machine who needs to expect that everything will work as advertised, without any hassle.

I think the lesson of all this is that you should build your Linux from scratch if you're a real control freak. :) Otherwise, try to use the package system as much as possible.

Re:RedHat 7.2/7.3 not supported, yet

Isn't the whole point of Linux about being a control freak? Because if it isn't then why has everyone been whining about MS not giving you control of your OS. People want the best of both worlds though and one has to give.

Re:RedHat 7.2/7.3 not supported, yet

[bangular]

One of the biggest reasons for failed dependencies in configure is because distributions (red hat, I'm looking at you here) split important packages into devel packages. So you might have a package, but you don't have the development version. However, most projects don't split them up, distros have taken it upon themselves to do it. I've installed Red Hat before and supposedly installed the development libs, but come time to compile a gtk app, oops! no gtk! But I've got other gtk apps installed. Oh, they've taken it upon themselves to split gtk up. One of the biggest reasons I started using LFS (and for servers, Gentoo) is because LFS and Gentoo don't split packages up 11 ways from Sunday. And the second I started using them is the second I had 99% less configure issues.

Re:RedHat 7.2/7.3 not supported, yet

That doesn't answer the question. How do you know which of your self-compiled packages on your 20 serves are critically out of date? You have an Excel spreadsheet with all the servers, libs and apps installed and their versions? How do you know new version is out? You're on 300 mailing lists, one for each product?

Re:RedHat 7.2/7.3 not supported, yet

[mcrbids]

That doesn't answer the question. How do you know which of your self-compiled packages on your 20 serves are critically out of date? You have an Excel spreadsheet with all the servers, libs and apps installed and their versions? How do you know new version is out? You're on 300 mailing lists, one for each product?

My friend, you have hit the nail on the head. I do an "up2date" or "yum -y update" on a particular server at least monthly. I'm anal about keeping patches updated. I do everything possible to avoid compiling anything that can be provided by RPM, since as soon as you compile a package, you're married to it.

Compile once == recompile forever and constantly worry about updates.

Any idiot can type "wget http://site.com/package; tar -zxvf package; cd package; ./configure; make; make install;" and then pedantically make idiotic claims about what it takes to be "a sysadmin".

But I'm in the trenches. Thousands of people depend on these servers. Do you really think I'm going to compile something like openssl, on which all the TLS stuff for LDAP, Apache's HTTPS, SSH, and stunnel all depend?

When, as soon as the package is installed, a simple "up2date <package>" or "yum -y update <package>" is going to suffice?

No phone calls, no pissed off customers, no lost contracts. Which would you choose?

Re:RedHat 7.2/7.3 not supported, yet

And about double the disk usage too, I imagine.

Is it really that hard to do apt-get install gtk2-dev (or whatever is appropriate for your distro of choice) if you need to circumvent the package system and install something from source? You really shouldn't be doing that anyways, which is the parent's entire point. It makes it difficult to track.

Re:RedHat 7.2/7.3 not supported, yet

[LilMikey]

What is this "Excel" you speak of?

Re:RedHat 7.2/7.3 not supported, yet

[$0+31337]

But I'm in the trenches. Thousands of people depend on these servers. Do you really think I'm going to compile something like openssl, on which all the TLS stuff for LDAP, Apache's HTTPS, SSH, and stunnel all depend?

Why? Do you not know how to do it? Listen, the original post in this thread was complaining that Fedora had not yet released the package updates. If your distribution has released the patches, hurray for you. For those people whose distribution hasn't released the patches yet however, what are they supposed to do? Sit around and wait for the box to be compromised or compile from source?

Stolen customer information, Lawsuits, Countless hours spent rebuilding boxes due to hacker. Which would you choose?

old news

i patched this like ten hours ago.

this is not a troll

I'm in the process of trying to figure out Windows security. So far it's a bloody mess. For all the byzantine token-passing and ACL's, the damn thing is still getting compromised left and right.
Maybe they should scrap it all and start over. I don't recommend them following the Unix security model either, cause that root=god thing ain't all that either.

Not too big of an issue...

[InvaderXimian]

Considering most setups (namely FreeBSD ones) aren't affected because this is a problem with Kerberos ciphersuites and the OpenSSL code is extremely MIT Kerberos specific so this flaw doesn't affect it.

From the FreeBSD security list:

If one compiles OpenSSL oneself, *and* has MIT Kerberos, *and*
> enables the Kerberos options, *and* has all ciphersuites (or at least
> the Kerberos ciphersuites) specified in your application's
> configuration, then you might be affected. But that has nothing to
> do with FreeBSD.
> Thus, answering your question again:
>
> Isn't FreeBSD vulnerable to the second "Out-of-bounds read affects
> Kerberos ciphersuites" security problem?
>
> No, FreeBSD is not.

Re:Not too big of an issue...

[k_head]

I subscribe to both debian and freebsd security lists. I got my warning from debian a couple of days ago and patched the system and have been patiently waiting for my warning from freebsd. Apparently I should not hold my breath.

Every day I am so happy I use freebsd. It's truly awsome. Stable as a rock and secure as a safe.

Re:Not too big of an issue...

[InvaderXimian]

Off Topic Banter - I guess you haven't been paying attention to the list but the security list won't post SA (Security Advisory) from Ports programs, although one guy is working on a language/program that will do it automatically.

DONT FIX

[ocularDeathRay]

Whatever you do... don't release a patch for these problems anymore.. I hear from an "industry leader" that exploits only happen after a patch is released.

better safe than sorry!!!

*CHANTING*
"JUST GIVE HUGS... don't fix bugs!"
"START FROM SCRATCH... don't release that patch!"
and...so on

dumbass

openssh uses openssl, retard

your lame attempt at being cool by using programming operators just makes you look more stupid, fucko

Speedy Cert

[SuperBanana]

Why it took CERT so long to send the advisory I don't know.

You're joking, right? A day is flat-out amazing. CERT used to take months to announce stuff. It was a joke; I unsubscribed because at the time, I found out about stuff in updated RPM changelogs well ahead of when I read it in one of CERT's email alerts. They'd often take over a week to send an email out about a virus that had already thoroughly spread.

Re:Speedy Cert

[mabu]

Have you seen a CERT advisory regarding the Phatbot worm yet?

Re:Speedy Cert

[Trogre]

OpenSSL Security Advisory [17 March 2004]

Updated versions of OpenSSL are now available which correct two
security issues...
...

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0079 to this issue.
...

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0112 to this issue.
and then...

[root@localhost src]$ rpm -q --changelog openssl |head
* Thu Mar 18 2004 Joe Orton 0.9.7a-20.2

- pull in fix for libssl link line (Tim Waugh, #111154)

* Tue Mar 09 2004 Joe Orton 0.9.7a-20.1

- add security fixes for CAN-2004-0079, CAN-2004-0112

- updated ca-bundle.crt: removed expired GeoTrust roots, added
freessl.com root, removed trustcenter.de Class 0 root

Note the dates.

It's not as if

[Chuck+Chunder]

there's a shortage of admins in the bad to mediocre range though.

Core 1 not supported, yet either

Makes me wish I were running Gentoo.

hey that's pretty good, man

maybe your should like, make a movie or something. i think it has potential.

Lollin' @ 'offtopic'

How is the comment off-topic when all the comments to the story are pointing out exactly the same thing?

honestly moderators, you're not even trying anymore.

who are you talking to?

slashdot use experimental neural-net to handle the moderation. also, all the comments are generate by AI. come on man, wake up. take the red pill already. or else you'll be trapped in this place forever reading stories about microsoft and sco and jon kats hellmouth series.

RedHat9 updates

[Maimun]

What shall I do to protect a RH9 system? Are the rpm updates here what I need? If so, I assume I need this and this -- since they are from 17.March.2004? (the *devel* package is available for i386 only, so that's why it's i386, no i686).

Thanks.

Re:RedHat9 updates

Just run any of these commands:

up2date -u
apt-get update && apt-get upgrade
yum update

Done.

Yawn

[ChiralSoftware]

I'm bored of these OpenSSL advisories. On and on they go. An unchecked null and an out-of-bounds read. Someday, people will realize that unsafe data (anything that comes in over the net) really can't be safely manipulated in a language like C. If OpenSSL had been implemented in Java, there types of errors couldn't exist, or if they did exist, they would throw exceptions which could be caught and handled in some reasonable way.

Rule #1: Unsafe data should be handled in sandboxed languages.

Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.

I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.

------------
Create a WAP server

Re:Yawn

[kobaz]

Someday, people will realize that unsafe data (anything that comes in over the net) really can't be safely manipulated in a language like C.

People like you who don't understand that any software written in any language can be exploited should be shot. Your post is just painful to read.

Rule #1: Unsafe data should be handled in sandboxed languages.

Rule #1 is actually: VALIDATE ALL USER INPUT

This holds true for any language, c, java, php, brainfuck, or anything else. You can just as easily exploit a php script to insert sql statements and destroy a database as you could write code to crash a server using openssl assumeing the target apps do poor validation and you (the attacker) know what you're doing.

Many things that communicate over the are safely handled in c, java, php, etc etc because they are written to validate the input given to them and never do operations on data that hasn't been validated. You can write a secure implementation of openssl in c or java, it doesn't matter as long as the underlieing methods include validating all of your input.

Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.

This is another bullshit rule, if you have an app that properly validates all of its data then you can run the process with any level of permissions and not worry. The problem is, most apps aren't written with the idea to validate everything (the number one reason is because it adds overhead). Apps like openssl are written by more than one developer so its even harder to make sure everything is validated properly because of differing programming styles and methods, etc etc.

I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.

You *are* trolling.

Re:Yawn

[andy_shepard]

If OpenSSL were written in Java it wouldn't matter whether it had any security holes because the script kiddies wouldn't be willing to sit around and wait five years for the exploit to run.

Re:Yawn

[JohnGalt00]

You're dead on with Rule #2. I'd never thought of it before, but trusting your webserver to not have a buffer-overrun exploit is scary.

The problem with Rule #1 (right now) is that there isn't a clear winner for what language to use. Most all of the higher than C level languages aren't appealing, especially to crusty C programmers. C just works. Java and C# still have political issues, with Sun and Microsoft still controlling the languages.

Python has no political problems, but it's too slow for this kind of stuff, and even if it improves speed wise the way java has for the last 5 years, it still might be too high level to get fast enough.

I also have issues with Java's syntax. Too much boilerplate, forced OO, and declaring that a function won't throw an exception is a waste of time. IMO Python has clearly shown the direction for language syntax.

Re:Yawn

I don't get this at all. People frequently use "Pure Java" database drivers -- is there something about Unix terminal handling that demands pure C? How hard is to echo encrypted characters across a network. (the encryption itself could be handled by a C library if necessary).

Re:Yawn

>If OpenSSL had been implemented in Java

It would have been so slow that nobody would have used it. And there would have been many Java supporters ready to declare how that disadvantage would have disappeared with next year's optimized compiler and runtime, or that it was caused by the selection of the wrong library components.

Java was a nice idea, but the implementation was too slow for practical use for too long. Now that this may not longer be the case, this widespread opinion has sunken in too far and wide.

Re:Yawn

[ChiralSoftware]

No, I'm not trolling. I can summarize your whole post in one sentence: "Don't make mistakes and everything will be fine!" We've been hearing that for years. The best C security coders in the world are the OpenBSD team and guess what, they make mistakes. They fail to validate input sometimes. They have had exploitable bugs in their code. And what are they doing now? They are moving to models like privsep, w^x and systrace which are all forms of sandboxing or hole containment. Eventually if they take that far enough, they'll end up running bufferless code in a VM, which would give me a sense of deja vu.

Sure, it's entirely possible to write perfect C code with no mistakes, and it's possible to not validate input on Java code and make plenty of mistakes. You gave a great example: SQL injection attacks. Java has some great defenses against that: Use java.sql.PreparedStatement instead of java.sql.Statement. Even better, use something like JDO to give an abstracted OO view of the data.

Here's where C breaks down: The human mind doesn't think in the right way to use C safely. We can't change the human mind (yet), but we can change which language we use. Humans just don't spot out-of-range errors, for example, but out-of -range errors are all trapped in Java and also because Java collections know their size (unlike C arrays/pointers) out-of-range errors are much more obvious.

Also, saying that "if you validate your input you can run it at any priv level you want" is just the wrong way to think about this. Mistakes will happen in any sufficiently large system (ie, any system that is large enough to be useful today). The only reasonable thing to do is to contain those mistakes, which means isolate processes and functions.

Or you can keep on repeating "nothing bad would ever happen if we didn't make any mistakes!" I guess if that's what you think, I can't change your mind.

Re:Yawn

The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.

Yeah, because dropping privs after binding is such a pain in the ass. What are you proposing, that regular users should be able to start up random services?

Re:Yawn

[fr0dicus]

Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.

Hear, hear. I've always wanted a kernel option to disable that, as I'm the only user on my machines and it would be nicer if I could just run my daemons as non-root than being secure in the knowledge that all of the other (zero) people who have access to my machines can't start their own server processes below 1024.

Re:Yawn

[jmv]

Rule #1: May I remind you that said unsafe data is also manipulated by the kernel and glibc. Are you suggesting those get converted in Java too? Oh, and with a badly written Java app, it's also possible to do all kinds of things (just not buffer overflows).

Rule #2: Ever heard of "bind to port and then change uid"?

I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.

Thanks for enlightening us all.

Re:Yawn

[caluml]

Writing OpenSSL in Java. No.
Having to be root to bind to ports under 1024. Yes, it's very silly. Why can't we get rid of that hangover now?

Re:Yawn

[thogard]

Its a one line patch to get linux (2.2 and maybe 2.4 and maybe 2.6) to only let you open ports that equal a group your in. Its a simple fix but no one wants to do it. Even the standard /etc/groups aren't set up for this. Whatever listens to SMPT should be in group 25 and apache should be in groups 80 and 443. Then you don't need root to bind to the port and no other user can bind to the port either.

Re:Yawn

[bani]

define "unsafe data".

Re:Yawn

[MoZ-RedShirt]

The must be root to bind port 1024 is not as bad as it sounds. You can write a program that starts as root, binds the port and then drops the root privs and even does an chroot afterwards.

That way you are in some kind of sandbox or at least in some controlled evironment. I think apache does this in this or some similar fashion. At least it binds port 80 and runs as user nobody on my system.

RedShirt

Re:Yawn

[multi+io]

Rule #1: May I remind you that said unsafe data is also manipulated by the kernel and glibc. Are you suggesting those get converted in Java too?

Considering all the latest "forgot to check the return value" (read: "I want exceptions") flaws resulting in local root exploits in Linux alone, writing it in something other than C (not really Java, but how about Ada or... Lisp maybe? :) ) might be a viable option...

Re:Yawn

[kobaz]

Having to be root to bind to ports under 1024. Yes, it's very silly. Why can't we get rid of that hangover now?

Because on multiuser systems where you for example don't run a web server you don't want random people poping up a server on port 80 pretending to be you. Of course you could firewall it off, but why not let the kernel take care of it?

Re:Yawn

[Srin+Tuar]

The problem with VM's is that they are pigs.

Openssl is coded in highly optimized C, with many components in assembly, and its still considered a high-overhead resource hog and is often the target of hardware acceleration.

If you seriously think "Java" is even in the running for that workload- then you are seriously deluded. VM's have this peculiar BIG problem: they are slow and resource-intensive. They dont play well with other processes, they cannot swap out to share ram, and they encourage memory bloat.

If anyone seriously wanted to use a programming language as a tool that lets you hide memory allocation and validate input- then they could choose C++. Java, et al, is just not a serious option.

Re:Yawn

[iwadasn]

I completely agree. The port binding should still be specific, but not root. For instance, every unix system should have a "network" user that is the only one that can bind to ports less than 1024, root cannot, nor can anyone else. That nicely sandboxes all the attack vectors into one user that can be easily controlled and chrooted.

But of course none of this would be necessary if everything possible was written in java. Then you wouldn't really have to worry because worst case scenario, you get an exception...

In addition, I'm going to go off on a tangent here about java performance testing. Basically whenever people compare performance they compile up a C version using the latest compiler, targeting their CPU specifically, and they compile up a java version and run them head to head. This is about the most unfair comparison you can make. In general, software is almost always older than hardware, and it's virtually never targeted for the CPU you're actually running it on. Try compiling the C source on a three year old compiler targeting a pentium II, then run the benchmark on the P4 and lets see how it turns out. That is the common case after all. One of java's largest advantages is that it knows everything about your hardware, so theoretically it should always be fairly well optimized for it. The comparative performance would be much closer (it's usually pretty close anyway) if things were tested in this real world scenario.

Re:Yawn

Java

NO.

Re:Yawn

[bockman]

it would be nicer if I could just run my daemons as non-root.

You could do something like: configure apache to use port 12567 and the remap that port to port 80 using iptables. Never tried, but should work.

Re:Yawn

[smcdow]

If OpenSSL had been implemented in Java...

Probably not a terrible provided we don't have to drag around the goddamned VM along with it.

Java will never be taken seriously as a system language until it can be reliably compiled into machine native executables (with no stupid-assed requirements for a bloated VM). I have high hopes for GCJ. Sun f.cked up when they didn't do this themselves.

Re:Yawn

[LinuxHam]

That's the problem with all these newcomers popping in with "they got it all wrong, and I can fix it." Their semester is almost over but they don't learn about dropping privileges until the next semester in Operating Systems Design. Its kind of sad seeing the future leaders wanting to take us away from drastically improved security practices.

Hey, new kids. Learn about Mandatory Access Controls. Start with LIDS, grsecurity, openwall, SELinux and the LSM. Plus, if you think Apache runs as root any longer than it takes to bind to port 80, then don't worry, your professor will cover it come September.

Sorry to be so gritty, but some commentators are striking fear in me about the directions they think security should go.

Re:Yawn

[Desert+Raven]

OK, you really are a troll.

The Java VMs are distributed as *binaries*, because Sun's too much of a prig to open-source it. This means it was compiled for the "lowest common denominator" x86 system, probably Pentium (not II or III).

In contrast, OpenSSH is distributed as source, which means it was compiled *on my system, for my system*.

One of java's largest advantages is that it knows everything about your hardware, so theoretically it should always be fairly well optimized for it.

This is a joke, right? Java doesn't "know" any more about your hardware than vi does.

I'm a Java programmer, and Java has come a long way, and is plenty stable enough for a lot of things. However, there isn't a chance in hades that I'd use it for a system-level app like SSH, or for an extremely high-load app like Apache. Sorry, it's just not there yet.

Re:Yawn

[lildogie]

> Rule #1: Unsafe data should be handled in sandboxed languages.

So the Java interpreter is written in Java? Sweet. };-)

Re:Yawn

[jmv]

I definitely think you should post your idea on lkml. I'm sure they'll like it ;-)

Re:Yawn

[Electrum]

We've been hearing that for years. The best C security coders in the world are the OpenBSD team and guess what, they make mistakes. They fail to validate input sometimes. They have had exploitable bugs in their code.

Funny, then why have the qmail and djbdns security guarantees never been claimed? Perhaps because it really is possible to write secure code in C?

Re:Yawn

[Deagol]

I think the grsecurity patch (linux only) allows you to grant specific UIDs the ability to bind to specifid ports. So, for example, only user "www" could bind to port 80.

I don't think any of the BSDs have such a mechanism. The best thing they have is jail, which is pretty damned cool and useful.

Re:Yawn

[NoOneInParticular]

Right, so how would your java-ssl handle this null-pointer exception that gets thrown due to poor coding? C can handle SIGSEGV as well, but that doesn't mean that there's a recovery path from it.

Re:Yawn

[iwadasn]

Fine, since the JVM is compiled for a P-II, compile the test apps for a P-II as well. Linux users aside (and many of them get binaries anyway) the vast majority of the world's software is distributed in binary form, and virtually all of that is compiled for the lowest common denominator of hardware, Sun's JVM probably is an example of this, which is why it is unfair to test it against a source ball that you compiled yourself targeting your own platform.

In any case, the trend seems reasonably well defined. Apps that are not distributed as source will face ever growing performance hurdles as it hurts more and more to be compiled for the lowest common denominator as CPUs become more complex. This seems inescapable. Furthermore, the performance cost of using a VM based language will diminish as VMs become more advanced, and the time required to compile code diminishes relative to the time required to execute it.

Basically, it seems that the performance of VMs will increase relative to the performance of statically compiled apps for the forseeable future. They have already made up much of the difference.

In the not too distant future it's not hard to believe that the two lines will cross. If Sun and IBM and Apple put serious work into java, those lines could mostly intersect within a couple of years.

People do use it for high load apps, like Tomcat, though granted many people use Tomcat behind apache.

The performance difference isn't nearly what you think it is. A program doesn't have to be written in java to be slow, Mozilla and OpenOffice should be decent examples of this.

Re:Yawn

[multi+io]

I definitely think you should post your idea on lkml. I'm sure they'll like it ;-)

I don't dare :). The FAQ keeps me off...

Actually, I don't think I'm competent enough. Yet. Not until I've digged through the kernel hacker's guide and some nontrivial kernelspace code. :-)

Re:Yawn

[kobaz]

My post isn't just about not making mistakes, everyone makes mistakes when programming, but its developing with a particular mindset that will help prevent as many mistakes as possible.

Here is my methodology:
You accept a piece of input, be it a packet, a pointer to something, someones username, or anything.

You thihk to yourself, what are my limits with this piece of data. What is the size limit, what elements can or can't it contain, what memory location ranges will we allow this pointer to point.

You have a buffer with X number of bytes to store
an incomming packet, so what you do is get the size of the data, if its too big its an invalid packet and you drop it, no sense to continue.

If you are being passed an offset into a data segment, make sure that offset is withen the proper range of memory.

Its all about validating your data. If you follow the simple rule of validating any and every bit of input that your program will accept you have just gained a huge plus in software security.

Many people code in such a way that they assume all chunks of data will be valid and then later add validation, that approach works as long as can keep in your head all the places that need validation.

Once you know that a specific piece if data can have an arbitrary value, you must make sure that value is withen the right limits otherwise bad things can happen.

It's not "lets hope and pray we made no mistakes" it's all about sticking to a strict game plan to make sure you don't make mistakes, or limit them to a minimum.

Re:Yawn

Because DJB redefines the meaning of "guarantee" as required to avoid anyone making a claim.

Re:Validate untrusted data!

Ah, but what data is untrusted? It depends on the application, does it not?

In any case, this is "only" OpenSSL 0.9.7d; imagine what 1.0.0 will be like! *snigger*

No, but...

[Kjella]

...when the "home" server I'm logging into is 400km away, it's kinda hard to get back in touch. I'd have to call up my folks and have them hit the reset button, not exactly what they (Did I do something wrong now?), me (Sigh, I have to ask the least technically compentent people for help) or the server (I swear it'll corrupt something important, Murphy's law) wants...

Kjella

Re:No, but...

[thogard]

If you need the program to run, its init's job to keep it running and init does a fine job doing exactly that.

I guess you start your critical ssl apps out of the rc scripts don't you?

A well built server can take a # kill -9 -1 and still keep on going. (thats kill -SIGKILL every process)

advice on cvsup

[puzzled]

There is a minimal cvsup config for FreeBSD 4.9 - cvsup -g -L 2 and you're off and running.

*default host=cvsup6.FreeBSD.org
*default base=/usr
*default prefix=/usr
# The following line is for 4-stable. If you want 3-stable or 2.2-stable,
# change "RELENG_4" to "RELENG_3" or "RELENG_2_2" respectively.
*default release=cvs tag=RELENG_4
*default delete use-rel-suffix
# If your network link is a T1 or faster, comment out the following line.
*default compress
src-all
#ports-all tag=.

make buildworld & make installworld install *world*, which does not include anything you built out of /usr/ports - portupgrade is what handles moving that stuff forward for you.

FreeBSD *is* intimidating at first, but if you take the thirty days of pain at the end of that time you'll be looking at your Linux boxes and wondering why you ever put up with the chaos ...

Re:Patch updates are NOT news

[consolidatedbord]

Guilty as charged....

I probably should have posted that anonymously...;-)

Come on, show some sense of humor

[Phekko]

Just welcome your new [NO CARRIER] overlord and get over it. It's not like your whole world suddenly collapses if someone gets modded up for a joke you don't like, is it?

Re:Come on, show some sense of humor

[fafaforza]

Absolutely nothing?

Re:Come on, show some sense of humor

It's not like your whole world suddenly collapses if someone gets modded up for a joke you don't like, is it?

Yes it is, hell that joke being at +5 is worse to me than the MiniBush presidency. On a disaster scale of 1-10, this is an 11. That post is the 'Kenny' to an attack by 'Gamera' the atomic monster.

I'm tired of coming up with hyperbole - that post sucks and so does this one. Death take me now... please.

Scary AND funny!

[veddermatic]

When an OSS / Linux / BSD / OS X / something other than Windows flaw is found, it's serious.

It really is. You need to take it seriously and fix it. ASAP. Hopefully, most folks who run said OSes are paying attention, and will do what they need to do to secure the flaw.

That said, every time anyone uses Outlook to read email, the above looks really, really good.

Re:Scary AND funny!

[tommck]

Department of Homelad Security: ...

Is that the department that keeps littly boys safe at home?

Redhat?

[Jesus+IS+the+Devil]

If you have RedHat and can't do the up2date any longer, here's what I did to make mine work:

wget http://www.openssl.org/source/openssl-0.9.7d.tar.g z
tar xvfz openssl-0.9.7d.tar.gz
cd openssl-0.9.7d ./config shared --prefix=/usr
make
make test
make install

Configure with "shared" because it will install the shared library, which is needed for other programs such as SSHD. The prefix is where RedHat put its *.so files that's needed by OpenSSH.

Not sure if it's required or not, but I just restarted SSHD (uses OpenSSL) after that just in case.

Btw, the above is just what I did. I make no warranties. Follow it at your own risk. :)

Re:Redhat?

[Jesus+IS+the+Devil]

Ok slashdot has messed with my formatting. Anyways the config line is to be on a line by itself. Separate it from the cd openssl-0.9.7d.

Re:Redhat?

[QuMa]

Or you could just download the RPM's listed in the RHSA and install those.

Re:Redhat?

[smcdow]

From the link you provided:

Updated packages:
Red Hat Linux 9

Us poor souls still running RH{7,8} don't have a choice but to build and install from scratch. That is unless someone can definitively say that the RH9 RPMs will work with RH{7,8}.

Re:Redhat?

[QuMa]

the system I use redhat packages on started off as a redhat 5.1 install. Over the years I've upgraded bits and pieces but never done a complete upgrade. The system is a bit of a shambles, but most of that isn't due to the redhat parts. Upgrading rpm with rpm might be a bit of a pain in the neck, but it's quite doable.

Re:Redhat?

[smcavoy]

Actually, you don't need to mess up rpm's package management..
there is a spec file included with the openssl source disturbution.
all one need do is place the file is the right directories and:
rpmbuild -bb openssl.spec
a few minutes later, blam! you've got a fresh rpm

It even builds on redhat 6.x boxen... which I have way to many of.

Re:Redhat?

[bobbozzo]

Us poor souls still running RH{7,8} don't have a choice but to build and install from scratch.

http://www.fedoralegacy.org/ is great... they've been releasing security update RPMs for RH 7.2, 7.3, and 8.0 since January.

Re:Redhat?

[IchBinEinPenguin]

AARRGGHH!!

If you know enough to download, configure, make,test and install a daemon, then you should know enough to CHECK THE SOURCE.

Either check the tarball (md5sum, gpg, whatever turns you on) or diff the code with a trusted version to make sure nothing nasty has crept in.

OSS's worst(?) security breaches so far (archives serving trojaned source) were both detected by someon eactually checking the source before blindly compiling it.

All the security in the world is no match for one lazy act. If people get lazy, their PC's et insecure, no matter what OS they run.

Re:Validate untrusted data!

Oh look, another valid post modded as a troll because it doesn't follow the Slashdot party line. Sad really.

Couple of points so that you don't get modded down again:
1. Linux rocks, always (don't question it). Even if it doesn't apply, you have to say it.
2. The philosophy behind open source is infallible.
3. Bugs in open source programs are never as bad as propietary bugs.
4. If the bug really is as bad, well it was because it wasn't licenced correctly per GPL, artistic license, etc.

some software is inherently insecure

I ditched OpenSSL and OpenSSH long ago. I'm tired of crappy code and new vulnerabilities. I mean it's not like I'm running wu-ftpd anymore. Right now I use gnutls and lsh instead. They probably aren't flawless but probably much better anyway. I plan to change my OpenLDAP to tinyldap as well, but I'll hold my breath until it gets write support.

Funny? I would say "Insightful". Use Java!

[iamacat]

I have some problems with its lack of language features, but for security-critical components memory safety, configurable security settings and controlled crashes (exceptions that can be caught and terminate just one thread) can not be beat. sshd should be written in Java, at least as an option for extra security, with as little native code as possible.

performance hit

[bani]

are you willing to take the performance hit to convert it to another language though?

c is just one step away from being a macro assembler, so it's very fast. it's suitable for writing hardware device drivers, something most other languages are not. you won't be seeing any gigabit ethernet drivers written in java, for example. unless you want your gigabit ethernet driver to perform like 10mbit :-)

the reason there's pointers, etc. is because that's the way CPUs operate. C being such a lowlevel language inherits that functionality directly.

once you get into languages that do typechecking, reference tracking, etc. in order to "avoid evil pointers", you introduce a lot of overhead.

and you don't eliminate the exploits either, you just exchange the old ones for new ones.

don't depend on your programming language saving you from doing stupid things.

Re:performance hit

[gregmac]

are you willing to take the performance hit to convert it to another language though?

Take the performance hit and get the security increase? Hell yes.

I can buy a faster CPU for a whole lot cheaper than I can pay a programmer to go through and audit thousands of lines of code, with no guarantee they'll even be able to catch all the problems.

Of course, this doesn't get around have problems in the language you're using to write the application - but the benefit is, if there is a bug, it is more likely to be found (because so many people are using the same code for so many purposes), and fixing it will fix any instance of that bug in every application built on that language.

Or maybe having 5% less CPU utilization is more important than preventing someone from exploiting your server?

Re:performance hit

[bani]

as i stated, when changing from one language to another, you exchange one set of exploits for another. you get away from null pointers and stack overflows of C, and get into all new ones of your chosen language.

java isnt immune, nor is ada, or perl, or just about any other language thats a practical target for openssh.

You need to monitor security lists

[donheff]

I see a fair number of posts from people who rely on /. to learn about security flaws. That doesn't seem to be a sensible approach. It is pretty easy to follow a security list and keep an eye out for vulnerabilities affecting your system(s). I am a home user with a simple Web server in the basement. I subscribe to the CERT list. Others here mentioned Bugtraq. I catch quite a few alerts that I don't hear about in more general forums until after I see activity in my Snort logs. Even with a nightly update via yum some things need individual attention. Case in point, a flaw in a PHP application (Gallery) that falls outside of the packages covered by yum. You have to know about it to fix it -- and the bad guys know about immediately.

Don

Open source isn't a perfect model for secure code

[pcause]

I'm not surprised that there is another bug. It is software and even software that aims to bring us security is written by programmers who are human and make mistakes.

What this does show is that claims that open source code is inherently more secire because it is more widely reviewed and vetted are simply not true. Whether it is Microsoft or open source, we will be living with security flaws and bugs for the forseeable future.

I'd really like to see the end of the open source is more secure than closed source flame wars on /. All software is built by fallible humans and no process is 100% effective in preventing such flaws from being introduced into programs.

Don't bother

[RodeoBoy]

he can't hear you with his foil hat on so tight.

recompile ssh?

[in4mation]

I'm confused. Does that mean, in addition to updating openssl, I also have to recompile openssh with the new version of openssl? Also what about mod_ssl, or anything that depends on openssl being present in order to be able to compile?

Re:recompile ssh?

[bigjnsa500]

The answer is yes to all the above. Anything using OpenSSL will need to be recompiled. If you're using a custom Apache like I am, that means I have to recompile Apache, PHP, MySQL, mod_ssl, the works because I have all those modules builtin. Its gonna be a long day ;)

Re:recompile ssh?

[in4mation]

There goes my day :-( I was hoping to read /. the whole day.

Re:recompile ssh?

[nestler]

You only need to recompile things that use the SSL part of the OpenSSL(like mod_ssl). You do not have to recompile things that only link the crypto part of OpenSSL (OpenSSH only uses the crypto part of OpenSSL).

You can see what is used by doing an ldd on the binary. If you see libssl listed, you need to recompile. If you only see libcrypto, you do not.

Note that this ldd trick only works on dynamically linked binaries. If the binary is statically linked, you won't see either library listed no matter what (in which case you will need to do more research to figure out what to rebuild).

Time for the obligatory plug

[iwadasn]

This is why you use java. How many bugs have been found in Java's SSL libraries? None that I've ever heard of, and that's not because they're obscure. Both of these bugs could never exist in java. They would both throw exceptions when encountered, and those would be handled, rather than coredumping the program.

Lets face it guys, if you're not writing an OS, a game, or a calculation based app (lapack, etc...), you're insane if you're not writing in java. That's all there is to it. Why work twice as hard so you can have twice as many bugs and support half as many platforms? It just doesn't make sense.

my $.02

Re:Time for the obligatory plug

I hate to tell you this but java is drag-ass slow. It is still slow to this day. I wouldnt want encryption routines written in a slow language. Every java app I have seen is fat and slow.

Re:Time for the obligatory plug

Lets face it guys, if you're not writing an OS, a game, or a calculation based app (lapack, etc...), you're insane if you're not writing in java. That's all there is to it. Why work twice as hard so you can have twice as many bugs and support half as many platforms? It just doesn't make sense.

Lets face it guys, java is not ready for prime-time. It is most unfortunate that the language must be compiled and then intrepreted, so that it gets the worst of both worlds. A true intrepreter would be faster. It is things like insistance on pcode that are driving machines to be more powerful than most people should ever need.

Re:Time for the obligatory plug

[NoOneInParticular]

So this magical 'java' program you speak of is capable of fixing programming errors? All I can do in C is put a signal handler for a segfault and do some damage control, but you say that this magical stuff called an exception can actually fix such errors in running code?

This is not much of an issue...

[Tenzen01]

Yes, there is a bug in the code. No its nothing to go nuts about. I have verified the existence in a product for our company, but you know what it does? Nada.

We use Apache + OpenSSL in our Product. When an SSL request comes in with the malicious data, Apache creates a child process to deal with it. Child process uses NULL pointer to access Memory. Process SEGFAULTs and dies. Apache remains running.

In a well architected system you protect yourself on multiple levels. Linux uses memory protection to limit the damage one bad pointer can do. Apache does the right thing and spawns child processes to deal with requests, thereby preventing problems from bringing down the whole server.

Another poster was right, many of these exploits are sensationalism to scare people and attract readers.

Re:Open source isn't a perfect model for secure co

[JShadow]

The argument isn't that Open Source is inherently more secure when written, but that overall it is more secure.

What's the difference you ask?

Closed source software M is found to have a bug, and that hole is open for 6 months; Open Source software S is found to have a bug, but the hole is open for 2 weeks MAXIMUM, most of the time it's fixed and patches available within 1 week.

Thus, Open Source is more secure because holes, which are, to a certain extent, inevitable, remain open for a very short amount of time, and on the whole not long enough to exploit.

C language is (also) to blame.

[master_p]

A null-pointer assignment

an out-of-bounds read

Aside from the programmer's errors, if C was safer, both bugs would have already been caught a long time ago. C is clearly to blame here.

Re:C language is (also) to blame.

[NoOneInParticular]

public class JavaSSL {
public static void Main(String[] args) {
try {
run_ssl();
except (NullPointerException e) {
//hmm, now what?
throw e;
}
except (ArrayIndexOutOfBoundsException e) {
// notify user
throw e;
}
}

Re:C language is (also) to blame.

[LilMikey]

It's a poor craftsman that blames his tools.

That being said, I'm forced to write in PowerBuilder all day. I'm a very, very bad craftsman.

Whine whine whine, yawn

What's a little speed and RAM trade off for security? So say the C/C++ flamers... Little do you realize this is crypto for servers. OpenSSL is BSD licensed, so why don't you people port it to Java and stop whining why it was written in C and assembly in the first place? If not, then stop/don't use it.

Don't like it in C/C++, port it to your signed and trusted language. It's Open Source!!!!!!

OpenSSL in Java would be too slow

[nestler]

An OpenSSL written in Java would be a complete non-starter. Nobody would use it because it would be too slow.

For most applications, you are right that safety outweighs performance concerns. However, OpenSSL is in that 1% of applications where performance outweighs everything. It is a crypto library. Crypto is extremely CPU intensive.

OpenSSL is expected to run as fast as possible, to the point where parts of it aren't even written in C. The core bignum and hashing routines are written in assembly language for various platforms.

You even mentioned this caveat:
if you're not writing an OS, a game, or a calculation based app (lapack, etc...)

But you didn't seem to realize that this caveat certainly applies to OpenSSL (if ever there were a calculation based app, this is it).

Re:OpenSSL in Java would be too slow

[IchBinEinPenguin]

I'd use it.

For my work, processing power _FAR_ outstrips bandwidth, so if I could trade some idle CPU for security I'd go for it!

However, I realise that most people wouldn't. You can't convert everyone, and it makes no sense to have 2 source trees in 2 different languages.

Maybe the answer is an automatic C to Java copnversion (possible?) that would allow you to run a java-based OpenSSL: a bit slower, but a mit more immune to the next bug too.

Come to think of it, I don't like the idea of depending on the JVM for security. I suspect there are more bugs in the JVM then there will ever be in OpenSSL,
mostly because they have a completley diffenet focus, features vs security.

Re:Open source isn't a perfect model for secure co

In order for A to be more secure than B, it is not required that A be 100% secure. Of course all software has bugs, even open source. That does not exclude the claim that open source is MORE secure than closed source.

Logic. Learn it. Love it. Live it.

You can't draw generalized conclusions

[dmeranda]

Come on, this shows nothing. The ONLY conclusion you can draw from this is that OpenSSL 0.9.7c is probably less secure than OpenSSL 0.9.7d. That's it.

Reviewing source code does not make any software more secure; because reviewing code does not change the code. The only thing reviewing does is to potentially find security flaws you didn't know existed. And that's what happened in this case. The fact that it's open source means that people other than the authors are also able to perform reviews, which in theory means that potentially more flaws will be discovered. So the fact that this flaw was discovered, and it was by a group of people other than the authors, in my opinion means that the open source model worked. We now have version 0.9.7d which is more secure.

To try to make any kind of comparison to say MS code, or even to other open source software is mostly a waste of time. And to all you Java/GnuTLS pundants, no, this doesn't prove that your pet favorite implementation is any more or any less secure that OpenSSL. Facts are facts, which are not opinions.

"M$"

[bonch]

Honestly people, is this really /. front page news?

We get a front page headline for ever user-ran executable that is somehow labelled a "Microsoft hole." I see no reason why OSS software should be treated any differently (though sometimes it is...).

MOD PARENT REDUNDANT

This has to be at least the 6th post that mentioned safer languages like Java... blah blah... Hello? Speed? Encryption? Nah... don't want that to be fast... DUH

You must be kidding

[Too+Much+Noise]

... or thinking really small scale. How many simultaneous ssh connections does your "ideal java sshd server" plan to supply? and what hardware do you want to run that on?

It's no use ssh-ing to a box if you won't be able tu use it afterwards due to low-memory slow responsiveness.

Re:You must be kidding

[iamacat]

SSL already adds a performance overhead. On the other hand, Java web servers have been known to handle a large number of sessions.

If the security is really critical, it doesn't make sense to use software with potential buffer overflows. If security is not important, just use telnet. For something in the middle, use a shell with symmetric encryption like AES using a hash of your login password, without sending the password itself over. This kind of simple code is far less likely to have memory problems than OpenSSL.

Re:You must be kidding

[Too+Much+Noise]

SSL already adds a performance overhead. On the other hand, Java web servers have been known to handle a large number of sessions.

nice twist - changing the subject without addressing the issue.

Try this:

• SSL brings overhead - so do you really want to add Java's to it? as it was pointed already several times so far, Java is a resource hog so it's unsuited for both small servers and very large-traffic ones in that.
  
• Java is among the last places to look for computation-intensive tasks. SSL encrypting/decrypting is such a task. You might argue that the crypto libs can stay C and be called from Java, but that defeats your purpose of getting rid of that pesky C code.
  
• yes, you can handle multiple connections in Java - provided that you don't launch different clients to handle each other, otherwise you risk running out of memory with greedy VMs contending for ram. But this is not particularly safe - one common point of failure sucks.
  

Best tool for the job is the answer alright, but Java isn't it in this case. However, you're free to do a Java implementation of the SSL libs and use it - just don't be surprised if widespread adoption will not follow.

Re:You must be kidding

[iamacat]

e-commerce web applications certainly need performance, security, stability and scaling to large number of concurrent sessions. Therefore all of them are written in C. Oh wait...

Re:You must be kidding

Well yes, they are written in C. At least, the parts that need "performance, security and scaling" are (well, security is highly arguable).

If you haven't used Weblogic's "native performance pack" (or IBM's equivalent), you obviously haven't worked on any large-scale Java web applications.

go get some fish

automatic software updates were invented by non-windows and non-apple guys decades ago.

ever wondered how large companies deploy their software (i.e. Deutsche Telekom with 400.000 desktop systems?) Most of them have custom solutions far more superior than "Windows Update".

Or simply ask an average debian user what "apt-get update" means.

"Updating" is so much more than just getting the "latest" updates.

- you also need additional "dependend" software
- optionally "recommended" software
- configurations of software might also get updated
- maybe you want to stay up-to-date in a named flavour (like stable, unstable, alpha, beta, etc.)
- and it should be possible to "hold" a version or just go back to an older version.

---