Major OpenSSL Security Issue Found

tearmeapart writes "A major security issue has been found in all OpenSSL packages. You probably want to download your preferred OpenSSL package as soon as possible. Changes to the CVS repository are detailed on the OpenSSL timeline."

Anyone want to translate this into dummy speak?

[mallyone]

Is this a remote exploit? Does this mean my client can be overrun if a server throws me a bad packet or two? I guess my other question is, how can the most utilized utility on a system still have unchecked overflows? It has to have been audited about a trillion times? Please help, half assed linux admins want to know!

Re:Anyone want to translate this into dummy speak?

Right. I've posted elsewhere that the documentation, what there is of it, is obscure and minimal. I'd probably get the O'Reilly book if I had to work with it again - not sure how good that is but it has to be better than the docs.

Re:Anyone want to translate this into dummy speak?

[swillden]

I guess my other question is, how can the most utilized utility on a system still have unchecked overflows?

Have you ever looked at the OpenSSL code? It could have the Ark of the Covenant hidden in all that mess somewhere for all we know and we'd never find it.

No kidding. I've seen a lot of horrible messes in my career, but OpenSSL tops them all. There have to be hundreds of serious security bugs lurking in there... the only thing saving us is that it's so nasty not even the black hats want to dig in there to find them. Good security code should be as simple and straightforward as possible, to make it easy to verify. The authors of OpenSSL took a... different approach.

Re:It only affects 64 bit systems

I'm sorry, but that's just bad programming. When I took C 15 years ago in college, one of the very first lessons was the professor telling the class to never assume data size.

Data type sizes is something we knew about and resolved over 30 years ago, so it makes me sad we still encounter this today.