OpenSSL Patches Eight New Vulnerabilities

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.

Sick of this

LibreSSL can't come soon enough.

Re:Sick of this

A library with bugs in it? An open source project is getting fixed as more people look at it? The hell you say.... Next you will be telling me they fix bugs in the kernel.... weeeeeeeeeeird....

Re:Sick of this

Anyone know if LibreSSL had these issues as well?

Re:Sick of this

Five of those vulnerabilites are two and a half months old. I don't care how "low" the severity is, it should not take that long to be patched.

Re: Sick of this

Ya get what ya pay for

Re: Sick of this

Yes. $0 for software with bugs, or high cost software with lots of bugs and deliberate back doors.

Re:Sick of this

Of course it did, it is a fork (copy) of OpenSSL.

However, one or two of the issues were fixed in LibreSSL back in May, before being discovered in OpenSSL.
They were fixed as part of the general code quality improvement, and cleaning up the error handling and memory management.

https://twitter.com/bob_beck/status/553233391164743682

Re:Sick of this

I sure hope they straighten out the allocator. The Heartbleed bug was possible because the bizarre OpenSSL allocator let them use a use-after-free trick to get the heartbeat data. The patch I saw at the time of the crisis did nothing but mitigate the problem. Wouldn't you know: the main author of RFC 6520 ("Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension") is also an OpenSSL maintainer.

OpenSSL may have a better heartbeat-extension implementation by now. I haven't looked at the source recently. What I did see was that the source was pretty funky.

I'll have to give it another look at the OpenSSL code. I'll also take a look at LibreSSL, but I sure haven't jumped to that either. In the meantime, I've been disabling the heartbeat extension altogether.

Time to switch to LibreSSL

[MSJos]

Seems to make sense, no?

Re:Time to switch to LibreSSL

No.

No guarantee it doesn't have the same bugs, in fact it probably does have at least some of them.

Difference is, OpenSSL gets bugs found and reports theirs :)

Or to put it another way: Security from obscurity isn't real security.

Re:Time to switch to LibreSSL

Is there any way to tell if LibreSSL was affected by any of these? If no impact on LibreSSL , it would definitely be a strong case to switch at this point.

Re:Time to switch to LibreSSL

If you had been paying attention you'd know that OpenSSL gets bugs reported, LibreSSL fixes them while OpenSSL stands around with their collective dick in their hands.

Re:Time to switch to LibreSSL

Agree..

I'm all for security fixes.. but seriously, when are they going to look for some serious flaws and fix those, rather than pretend they're doing above and beyond by "fixing tens of vulnerabilities!!!" that are merely low severity ?

I really hope LibreSSL [libressl.org] takes over some day, including the corporate market, with FIPS and other compliance too.

Re:Time to switch to LibreSSL

this has got to be some NSA troll trying to encourage everyone not to worry about openSSL, because anyone that had a frigen clue and has been following the trainwreck management of the openssl project knows that is complete and total bullshit.

People were submitting patches to problems in openssl, and they just sat there for years while the project ignored them or never applied them.

The openssl project is the poster child for what is wrong with opensource today. Essentially opensource is turning in to an open sewer, where every half ass programmer or kid that just discovered programming can dump crap code and there is no where near sufficient experience eyeballs to watch and test it all. I am sure the security agencies and bad guys take full advantage of it.

That something as mission critical to thousands or millions of both public and private projects, was so badly run is a scandal of highest level.

My hats off to libreSSL and the BSD boys for taking a crack at cleaning this mess up, and at the earliest possible opertunity will be switching my systems not only to SSL but BSD. I love linux and the rest of the linux open source eco-system, but the stabillity and security situation has been progressively getting worse in linux land for a while.

Re:Time to switch to LibreSSL

[Barsteward]

Why don't you get your dick out of your hands and help out?

Re:Time to switch to LibreSSL

It is true, it is so obvious a bunch of mod trolls are watching this closely, I saw comments that spoke the truth about OpenSSL got modded down from +3 +4 right down to 0, even mild comments that only suggested people to switch to LibreSSL got hit as well, the OP was +1 or +2 some hour ago.

All the dumb OpenSSL ass kissing comments got modded up to +4 +5 straight away and stayed that way.

Slashdot is like amateur hour.

Must be great working in an government building modding up crap all day misleading the public while getting paid.

Re:Time to switch to LibreSSL

Because all commits have to be approved by the top team; Who, again, stand around with their dicks in their hands. Doesn't matter how fast you are to help them, but until one approves it, it isn't fixed.

Re:Time to switch to LibreSSL

Anyopne got a howto for switching from openssl to libressl on apache 2.2 / debian squeeze ?

Re:Time to switch to LibreSSL

Just load all comments? And read whatever seems worthy your time? And seriously, modding, on slashdot? Heh, almost as in, what are mod-points .... thx, later, by the way, I enjoyed reading up on Anonymous Coward on Saturday January 10, 2015 @08:41AM (#48780573).

Re:Time to switch to LibreSSL

OpenSSL had submitted patches that fixed security bugs that they sat on for years. They were just too lazy to apply the patches. It wasn't until the spot light hit that they wanted to pretend to care.

Re: Time to switch to LibreSSL

I thought it only works for openbsd at the moment. I could be wrong.

Time to switch to another protocole

Howto switch from SSL to something else : How to remove SSL

Go easy on the OpenSSL guys !

[slincolne]

The beauty of Open Source is that when issues like this are discovered, they are dealt with.

With a closed source product you basically have to trust the vendor to get it right, and to patch defects in a timely manner.

OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

I just wish that the big players who use this in their products would support the developers - and make it a better outcome for all of us who rely on this product.

Re:Go easy on the OpenSSL guys !

The big players are, sortof, after a fashion, supportng OpenSSL now.

It's the smaller commercial players who are doing it most effectively though.

Re:Go easy on the OpenSSL guys !

OpenSSL is a monstrosity. It should be taken out back and killed. Switch to LibreSSL already.

Re:Go easy on the OpenSSL guys !

How many of those vulnerabilities have been in the cryptography part of the code? Pretty much none, it always seems to be the protocol layer that has issues.

Re:Go easy on the OpenSSL guys !

OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

Wrong, OpenSSL is the classic demonstration of THE truth of life - Idiots should never be in charge of anything. Free or not free.

Re:Go easy on the OpenSSL guys !

[maestroX]

OpenSSL is a classic demonstration of two of the truths of computer programming - namely that good cryptography is HARD.

#2: write readable and maintainable code.

Re:Go easy on the OpenSSL guys !

[Lennie]

I think this is a good sign for a differerent reason.

We all know OpenSSL could be a lot better. Supposedly they got more funding.

If they are busy finding and fixing bugs that's could be a good thing.

Re:Go easy on the OpenSSL guys !

OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

Or possibly that people who are good at cryptography aren't necessarily very good at programming.
Many of the bugs has nothing to do with cryptography but are the result of bad programming practices in general.

Re:Go easy on the OpenSSL guys !

OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

True, but that isn't the issue here.

The cryptography itself is taken from the algorithms published by cryptographers.

Everything else in OpenSSL is unfortunately a POS.

Watch the long discussion by Bob Beck (from OpenBSD and libreSSL) on how bad the code is in OpenSSL, and the stupid decisions the OpenSSL made: https://www.youtube.com/watch?...

Re:Go easy on the OpenSSL guys !

Well, it's all about having dedicated resources.

There are myriads of crappy open source software out there. But more and more there also seriously good open source "products" where professional care is put into them.

> I just wish that the big players who use this in their products would support the developers - and make it a better outcome for all of us who rely on this product.

yeah, I agree. But charity without clear benefits is rarely the corporate way.

It's not easy because why would someone pay for OpenSSL when they can just use a free fork where someone continuously takes the main branch (where all the development costs are put by the main organization) and makes 1 fix and releases it as better for free (or a fraction of the cost because almost no dev costs)? Forking is basically the number 1 strength and the number 1 weakness of open source.

Re:Go easy on the OpenSSL guys !

[phantomfive]

OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

OpenSSL is a mess that demonstrates nothing of the sort. Cryptography is hard but openSSL lost before getting to that point by having horrid coding practices.

If you want to have a clear understanding of how bad it is, the OpenBSD team is live blogging the mess as they clean it up. In short, OpenSSL was not written by a responsible (or entirely competent) dev team.

Re:Go easy on the OpenSSL guys !

OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

According to the LibreSSL team, the crypto was fine, it was everything around the crypto that was pure crap.

Re:Go easy on the OpenSSL guys !

OpenSSL library user here. I feel grateful for there guys for giving me a library like this. I have a lot of respect for them when it comes to cryptography. They may be excellent coders/programmers but as software engineers they suck. It looks like as they intentionally try to make their users' life more difficult and their applications more buggy and less secure. From a user perspective: 1. Crappy documentation = more bugs in my code 2. Having to use their own special functions unrelated to cryptography (BIO) = more complex code = more bugs in my code 3. Unless I compile OpenSSL with DPURIFY Valgrind goes crazy = more bugs in my code My advice to them: Please forget about premature optimizations, focus just on the task in hand, cryptography, and improve your documentation.

What?

[ArchieBunker]

OpenSSL had crippling bugs for years until heartbleed. Tens of thousands of people spoke of the virtue of open source and "many eyes" but apparently the author was the only one reading the source.

Re: What?

I think open source is a great idea and I'm an avid Linux user because I prefer Unix. Linux has many procedures of the proprietary vendors.

Regardless of the source of the software, all it takes is one bad egg. That applies to MS, Apple, Oracle, and countless others.

Re:What?

Please stop being retarded. You are somewhat referring to "Linus's Law", a statement named by Eric S. Raymond that says: "given enough eyeballs, all bugs are shallow". OpenSSL clearly did not have enough eyeballs, but the statement do not say that open source software automatically will have many eyeballs.

Re:What?

[Barsteward]

so why weren't you reading the source? its there for you to do so...

Re:What?

Looking at a piece of code can reveal obvious oversights, and many forms of backdoors. But catching security bugs requires in a fairly thorough understanding of the code - and it takes a significant amount of time to get that level of understanding on any project that isn't yours. How many are going to go through that effort for free? Very very few. And among those, who has the actual ability to detect such issues? Even fewer.

Re:What?

Because I'm not a programmer. Or is open source software only to be used by programmer end-users?

Re:What?

[Barsteward]

aaahh.. a non-user with an opinion. not being a programmer doesn't stop you from reading and learning. OSS is for everyone but being a sideline whining smartass is frowned upon.

Re:What?

[phantomfive]

That level of programmer isn't all that common, especially for software as complicated as most security software is.

You don't have to be a genius to spot bugs in openSSL. Even a non-professional programmer could look at it and say, "Yeah, that stuff is bad."

Re:What?

[Shados]

Because I'm too busy "reading the source" and fixing shit in a bunch of other projects. One person can only do so much.

Re:What?

You are more than welcome to try your best then: https://github.com/openssl/ope...

My apologies to all who follow that link and have their eyes start bleeding.

Re:What?

[kmoser]

It's one thing to find a bug. It's another thing to fix the bug, let alone know that you've definitively fixed it and not introduced other bugs.

Re:What?

[phantomfive]

Thanks for clarifying that.

OpenSSL must fucking die

OpenSSL was written by a bunch of monkeys who either didn't understand security, didn't give a shit about security, or were NSA agents pretending to be dumb and careless.

Their source code looks like a fucking regurgitated hairball, pages after pages of deeply nested spaghetti if/else that requires hours/days to scroll up and down, switch back and forth between files just to understand what a small section does. That makes it nearly impossible for people to provide patches because by the time they understand half of the code they are already burnt out and have lost interest.

Fuck OpenSSL, it is now nothing more than a project run by burnt out programmers who doesn't give a shit and will only add even more shit to it to earn a paycheck, and whatever "bugs" they fix, you can bet the NSA is still sitting on a pile of 10 years old bugs and exploits.

Switch to LibreSSL, simply because it is developed by people who have standards and care about reputation.

Re:OpenSSL must fucking die

Is it an unwritten rule that all projects like this have to have a:
- web page that looks like complete ass
- looks like it was typed in a raw text editor with its mixture of tabs and spaces
- uses html4-ish concepts from the 90's

I look forward to seeing its "moderinized" codebase for sure now (caring about your craft extends to all aspects of your project, web included)

Re:OpenSSL must fucking die

OpenSSL was written by a bunch of monkeys who either didn't understand security, didn't give a shit about security, or were NSA agents pretending to be dumb and careless.

Maybe you can do a better job.
Show us the code!

Re:OpenSSL must fucking die

Not everyone have the special talent required to create this kind of fuck ups.

Re:OpenSSL must fucking die

[itzly]

Show us the code!

You must have missed the link.

Re:OpenSSL must fucking die

[ruir]

That bunch of monkeys have do something better than most, they have given their free time for the project, they have advanced our knowledge of security, they have built a product use by a myriad of OS and vendors for almost 2 decades FOR FREE. Much more than some smuck than comes here ranting, and the idiots that mod him informative.

Re:OpenSSL must fucking die

Their source code looks like a fucking regurgitated hairball, pages after pages of deeply nested spaghetti if/else that requires hours/days to scroll up and down, switch back and forth between files just to understand what a small section does.

Yeah, it's a bit crusty. Here's the OpenSSL tree in GitHub if someone is curious and wants to take a look.

Re:OpenSSL must fucking die

So, you already fixed it? We're waiting for you to post your code. The code where every single line is brilliant and efficient and so elegently designed that angels will actually weep. Until then your rant is kinda funny. And useless.

Re:OpenSSL must fucking die

Are we talking about the same guys, the ones that were busy getting lucrative FISA-related contracting jobs and in general had to be consulted on any kind of change to the code since it was such a horrible mess that any sane coder would rather quit their jobs than touch it with a 15-foot pole?

Re:OpenSSL must fucking die

I for one will not touch OpenSSL or anything else their team developed with a 9 foot pole.

Yes you will, a million times a day, as your client connects to everything else on the Internet. Kinda sucks doesn't it?

Re:OpenSSL must fucking die

Time to switch to LibreSSL (Score:0) got modded down as well
They must be desperate

Re:OpenSSL must fucking die

So, you already fixed it? We're waiting for you to post your code. The code where every single line is brilliant and efficient and so elegently designed that angels will actually weep. Until then your rant is kinda funny. And useless.

You want funny rant, the LibreSSL guys did an even better one.

Protip: You GCHQ/NSA shills are being too obvious, no true geek would protect OpenSSL. Does your handler/manager even know you're doing a shit job?

Nothing is as useless as a NSA shill trying to play dumb on a geek site. It just doesn't work.

Re:OpenSSL must fucking die

[phantomfive]

uses html4-ish concepts from the 90's

The internet was a better place then, man.

Re:OpenSSL must fucking die

Spanish fresco restoration botched by amateur http://www.bbc.com/news/world-...
If you're really bad at something, what you provide has negative value. Even if OpenSSL never formed, something else would have.

Correction

[wonkey_monkey]

OpenSSL patches eight old vulnerabilities

FTFY. They are newly discovered, but not new.

OPEN SORES

"All those eyes on the code" != secure despite bs spouted here on /. hahahahahaha

Re:OPEN SORES

Meanwhile Windows issues an emergency XP patch to fix an SSL bug, and another patch to fix an OLE exploit that's been around since Windows 95. "No eyes on the code" != secure either.

Hindsight is 20/20

No-one really cared to look into, or help support, OpenSSL for a very long time. They just used it, and relied on the few people that wrote it to maintain it on their own. Now that problems have been found, people are jumping on the bandwagon to shout about how terrible it is. If you are looking to blame someone, try starting with the person in the mirror. Many people on here have knowledge about coding, but did nothing to help OpenSSL. When did you take the time to look into the code, and report bugs over the years?

Re:Hindsight is 20/20

Many people on here have knowledge about coding, but did nothing to help OpenSSL.

Security Software is very much an advanced programming field. Having knowledge of code is a very big distance from knowing how to find and search for security bugs. Show these very issues to your average programmer, tell them that there is a bug here, and they likely won't find them.

Its made even worse by source code of questionable quality - and that isn't something you can just hop in and fix; hence the creation of forks like LibreSSL. Actually refactoring OpenSSL to a quality level that's acceptable, which is necessary for avoiding and catching a lot of bugs (ESPECIALLY for less experienced developers or developers with less time), is a process that will take years.

Sad reality is that once a code is as deep into code debt that OpenSSL is - its anything but fun or fast to work with.

Re:Hindsight is 20/20

And finally, the assumption is too often made that just because you find or report an error - the maintainers will pay attention. OpenSSL has lots of errors submitted and reported, but some, including one exploit worse than Heartbleed - gets stuck in the bug tracker ignored for over 4 (four) years.

Why not put it out of its misery?

If there is a library that deserves to be eliminated it is OpenSSL. Not only it is a load of mostly incomprehensible spaghetti-like code but, in addition, it exposes one of the worst sets of APIs out there - repetitive, inconsistent, poorly documented, absurdly complicated. Sigh. I guess OpenSSL is a bit like Microsoft: the world would be a better place if they could be eliminated and replaced, but that's not gonna happen.

Fork OpenSSL to OpenTLS

[Morris+von+Habsburg]

I feel it would make most sense if they plan for the abolishing of OpenSSL in favor of a new library called OpenTLS.

Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future. For instance, don’t copy SSL or TLS 1.0 to the new fork. Nobody should be using SSL anyway so it can easily stay out of the new OpenTLS.

The new OpenTLS library can then be cleaned up and strenghtened without causing too much harm to users of legacy OpenSSL, although some things could be backported from OpenTLS to OpenSSL.

Anyone starting a new project would obviously opt for OpenTLS and would stay clear of legacy OpenSSL and slowly but surely the use of legacy OpenSSL would diminish in favor of the brave new OpenTLS.

Re:Fork OpenSSL to OpenTLS

I think the LibreSSL people have shown that any such project should probably be restarted from scratch.

Overall, my experience with dealing with various libraries is that what someone really needs is to write a library that basically wraps connect() accept() write() read() and close() so that people can just do SSL without needing a billion steps that are poorly documented and trivial to completely fuck up.

While I'm begging, I'd also like someone to make a modern SSL cert tool that handles all the fancy shit from the 90's like Subject Alternative Names without having to use obtuse configuration files (what's that, you manage certs for several different domains and have to completely rewrite your configuration file for each of them just to get the SAN list right and if you forget your certificates are all fucked up?). Bonus points if you make the program noob-friendly by changing the prompts to match what people are trying to do ("Common Name (e.g. server FQDN or YOUR name)" - in what situation is my name EVER appropriate here?) so people don't have to look up a tutorial just to figure out basic operation.

Re:Fork OpenSSL to OpenTLS

[phantomfive]

Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future.

It's a fine idea but it wouldn't help you because the problem isn't the algorithm, the problem is the code. OpenSSL is known to have bugs in its TLS code, too. The problems here start even before getting to the algorithm.

Re:Fork OpenSSL to OpenTLS

[greg1104]

Been tried already; see gnutls. We tried to switch from OpenSSL to gnutls as the preferred SSL library for PostgreSQL a few years back, even got some press coverage documenting the whole thing. But, sadly, OpenSSL has too many quirky APIs to make a transition away from it easy. And anyone who tries to be "bug compatible" creating a replacement to that mess is going to inherit some of the same bad design that needs to be burned with fire.

Re:Fork OpenSSL to OpenTLS

[phoenix_rizzen]

Uhm, it's already been done: libressl

Comment removed

[account_deleted]

Comment removed based on user account deletion

But

He demands everyone do the work for him and have his vagina personally satisfied. He doesn't care how "low" the severity is.