Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Patches Eight New Vulnerabilities

Posted by Soulskill on from the getting-ahead-in-the-game dept.

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.

6 of 79 comments (clear)

  1. Sick of this by Anonymous Coward · · Score: 3, Insightful

    LibreSSL can't come soon enough.

  2. Re:Time to switch to LibreSSL by Anonymous Coward · · Score: 0, Insightful

    No.

    No guarantee it doesn't have the same bugs, in fact it probably does have at least some of them.

    Difference is, OpenSSL gets bugs found and reports theirs :)

    Or to put it another way: Security from obscurity isn't real security.

  3. Re:Go easy on the OpenSSL guys ! by Anonymous Coward · · Score: 1, Insightful

    OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

    Or possibly that people who are good at cryptography aren't necessarily very good at programming.
    Many of the bugs has nothing to do with cryptography but are the result of bad programming practices in general.

  4. Re:OpenSSL must fucking die by ruir · · Score: 4, Insightful

    That bunch of monkeys have do something better than most, they have given their free time for the project, they have advanced our knowledge of security, they have built a product use by a myriad of OS and vendors for almost 2 decades FOR FREE. Much more than some smuck than comes here ranting, and the idiots that mod him informative.

  5. Re:Time to switch to LibreSSL by Anonymous Coward · · Score: 0, Insightful

    this has got to be some NSA troll trying to encourage everyone not to worry about openSSL, because anyone that had a frigen clue and has been following the trainwreck management of the openssl project knows that is complete and total bullshit.

    People were submitting patches to problems in openssl, and they just sat there for years while the project ignored them or never applied them.

    The openssl project is the poster child for what is wrong with opensource today. Essentially opensource is turning in to an open sewer, where every half ass programmer or kid that just discovered programming can dump crap code and there is no where near sufficient experience eyeballs to watch and test it all. I am sure the security agencies and bad guys take full advantage of it.

    That something as mission critical to thousands or millions of both public and private projects, was so badly run is a scandal of highest level.

    My hats off to libreSSL and the BSD boys for taking a crack at cleaning this mess up, and at the earliest possible opertunity will be switching my systems not only to SSL but BSD. I love linux and the rest of the linux open source eco-system, but the stabillity and security situation has been progressively getting worse in linux land for a while.

  6. Re:Fork OpenSSL to OpenTLS by phantomfive · · Score: 3, Insightful

    Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future.

    It's a fine idea but it wouldn't help you because the problem isn't the algorithm, the problem is the code. OpenSSL is known to have bugs in its TLS code, too. The problems here start even before getting to the algorithm.

    --
    "First they came for the slanderers and i said nothing."