Multiple Vulnerabilities in OpenSSL
gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."
Please don't comment "so I guess Windows isn't so insecure, is it...". We always seem to get a few of these. OpenSSL/OpenBSD has a VERY good security track record. Is a vulnerability a problem? Yes, but when MS has OpenBSD's track record, you can compare.
Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.
Oh well, sometimes you just have to combat the trolls.
For those of us not on the FreeBSD mailing list, it is.
It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.
cvs, make and build sure.. But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.
I don't need no instructions to know how to rock!!!!
It's fairly reasonable to assume that the developers knew of the vulnerability some time before the new version became available.
I think it's good practice to do this if you can develop the new version fast enough. Announcing it early is only inviting someone to exploit it. I doubt anyone will fix the vulnerability themselves and put it into production before the official release comes out.
...is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago.
./ to report the problem. Also it's good to wait about 36 hours or so for the fix to go through the motions as the sudden intrest rattles free other problems.
Yes. Most of us are not on the FreeBSD mailing list. Instead we wait for the more mainstream outlets like
You have a good point, as using Windows Update is easier (or at least as easy) as any GNU/Linux update method, and can be made automatic very easily (like some GNU/Linux update methods).
One noteworthy difference, however, is that none of the BSD or GNU/Linux update methods tell the vendor the software (and their versions) that you run. To their credit, at least, none of them (including Microsoft) collect any actual personally identifiable information.
Computer Science is no more about computers than astronomy is about telescopes. --E. W. Dijkstra
Rule #1: Unsafe data should be handled in sandboxed languages.
Rule #2: Programs that are exposed to unsafe data (server processes) should run at some minimum and constrained privilege level, not as root. The "must be root to bind to ports less than 1024" rule on Unix is almost exactly the opposite of what the rule should be.
I'm sure many people who don't understand these issues will flame me or say I am trolling, but oh well, someone needs to keep bringing this up until it sinks in.
------------
Create a WAP server
>Honestly people, is this really /. front page news?
Yes, lets just wait till some kiddie write a worm that crashes thousands servers all over the world and then post about it.
I like that slashdot posts security problems. Why?
1. For the lazy admin. Theres lot of them.
2. because its important to keep reinforcing the idea that computers suck (I dont care what OS you like) and need constant care.