Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Vulnerabilities in OpenSSL

Posted by CowboyNeal on from the stay-safe-stay-current dept.

gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."

10 of 274 comments (clear)

  1. 3 actually by chrisopherpace · · Score: 4, Informative

    According to this link
    Here
    There are three vulnerabilities.
    This was, like, sooo yesterday on the Bugtraq lists ;)

    --


    Bored? Why not join a decent mess
    1. Re:3 actually by Siva · · Score: 4, Informative

      true, but one was in an older-than-current version. not to say it shouldn't be noted, of course...

      --

      Keyboard not found.
      Press F1 to continue.
    2. Re:3 actually by chrisopherpace · · Score: 4, Informative

      Not to troll, but OpenSSL is not Linux, and Linux is not OpenSSL.

      --


      Bored? Why not join a decent mess
  2. Re:before the trolls start... by Trejkaz · · Score: 5, Informative

    In particular, if you were running OpenSSH on Windows, which still depends on OpenSSL, then you are still in trouble. This isn't an OS security problem, it's a library security problem.

    --
    Karma: It's all a bunch of tree-huggin' hippy crap!
  3. Re:Non-Exploitable Security DOS Exploit by MobyTurbo · · Score: 4, Informative
    Honestly people, is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago, and a fixed version of OpenSSL is already available.

    Slackware Linux also has this fixed. Incidentally, like the parent's subject line says, this is a minor vulnerability that at the most makes openssl crash, not an exploit or a trojan like all the stuff we've been seeing about Windows on /. lately.

  4. Move along by Dalcius · · Score: 4, Informative

    Nothing really to see here folks. Both attacks crash the SSL server, so we're looking at DOS attacks and not 'holes'. This is certainly serious for the business who relies on it, but for home networks and casual use (which I'm sure is common among slashdotters) this is no sweat.

    Nice to hear that they found the holes, though. :)

    --
    ~Dalcius
    Rome wasn't burnt in a day.
  5. Re:Non-Exploitable Security DOS Exploit by Anonymous Coward · · Score: 5, Informative
    How do you set up your supfile?

    Copy it from /usr/share/examples/ (it's somewhere in there, I think, my FreeBSD box isn't running at the moment, I've poached some of its hardware).

    Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?

    That's a fine question indeed. What I do is:

    make DESTDIR=/usr/local/fake_root distrib-dirs distribution

    make DESTDIR=/usr/local/fake_root installworld

    make DESTDIR=/usr/local/fake_root installkernel KERNCONF=foobar

    Then you can compare the contents of /usr/local/fake_root and stuff in /. I like find and sort and vimdiff to do that. It's not super elegant, but you don't have to do it too often if you're tracking something like RELENG_4_9, since rarely do things get updated. What you would use it for is when you make changes to the base, which leads me to:

    Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports?

    Yes! But you can get around it. In /etc/make.conf, do:

    NO_SENDMAIL=true

    Now sendmail won't be built, although its stale files will hang around; refer to point 2 above.

    You'll also, in rc.conf, want:

    sendmail_enable="YES"

    sendmail_flags="-bd"

    sendmail_outbound_enable="NO"

    sendmail_submit_enable="NO"

    sendmail_msp_queue_enable="NO"

    At least for Postfix, which you say you use.

  6. Not too big of an issue... by InvaderXimian · · Score: 5, Informative

    Considering most setups (namely FreeBSD ones) aren't affected because this is a problem with Kerberos ciphersuites and the OpenSSL code is extremely MIT Kerberos specific so this flaw doesn't affect it.

    From the FreeBSD security list:

    If one compiles OpenSSL oneself, *and* has MIT Kerberos, *and*
    > enables the Kerberos options, *and* has all ciphersuites (or at least
    > the Kerberos ciphersuites) specified in your application's
    > configuration, then you might be affected. But that has nothing to
    > do with FreeBSD.
    > Thus, answering your question again:
    >
    > Isn't FreeBSD vulnerable to the second "Out-of-bounds read affects
    > Kerberos ciphersuites" security problem?
    >
    > No, FreeBSD is not.

  7. Re:Non-Exploitable Security DOS Exploit by NightSpots · · Score: 4, Informative

    Never used RHN, have you?

    First thing it does is `rpm -qa` and sends that list right to RedHat.

    It's really hard to know what updates to provide without seeing a list of software packages installed. Sure, they could differentiate between "Our" software and "Other" software in the list of installed programs, but that's just silly - send the whole list, and ignore the stuff you don't care about.

    --

    --
    Use Vobbo for Video Blogs
  8. Redhat? by Jesus+IS+the+Devil · · Score: 4, Informative

    If you have RedHat and can't do the up2date any longer, here's what I did to make mine work:

    wget http://www.openssl.org/source/openssl-0.9.7d.tar.g z
    tar xvfz openssl-0.9.7d.tar.gz
    cd openssl-0.9.7d ./config shared --prefix=/usr
    make
    make test
    make install

    Configure with "shared" because it will install the shared library, which is needed for other programs such as SSHD. The prefix is where RedHat put its *.so files that's needed by OpenSSH.

    Not sure if it's required or not, but I just restarted SSHD (uses OpenSSL) after that just in case.

    Btw, the above is just what I did. I make no warranties. Follow it at your own risk. :)

    --

    eTrade SUCKS