OpenSSL Patches Eight New Vulnerabilities

← Back to Stories (view on slashdot.org)

OpenSSL Patches Eight New Vulnerabilities

Posted by Soulskill on Friday January 9, 2015 @05:16PM from the getting-ahead-in-the-game dept.

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.

30 of 79 comments (clear)

Min score:

Reason:

Sort:

Sick of this by Anonymous Coward · 2015-01-09 17:21 · Score: 3, Insightful

LibreSSL can't come soon enough.
1. Re:Sick of this by Anonymous Coward · 2015-01-09 17:59 · Score: 1
  
  A library with bugs in it? An open source project is getting fixed as more people look at it? The hell you say.... Next you will be telling me they fix bugs in the kernel.... weeeeeeeeeeird....
2. Re:Sick of this by Anonymous Coward · 2015-01-09 18:13 · Score: 1
  
  Five of those vulnerabilites are two and a half months old. I don't care how "low" the severity is, it should not take that long to be patched.
3. Re:Sick of this by Anonymous Coward · 2015-01-09 19:37 · Score: 5, Informative
  
  Of course it did, it is a fork (copy) of OpenSSL.
  However, one or two of the issues were fixed in LibreSSL back in May, before being discovered in OpenSSL.
  They were fixed as part of the general code quality improvement, and cleaning up the error handling and memory management.
  https://twitter.com/bob_beck/status/553233391164743682
Re:Time to switch to LibreSSL by Anonymous Coward · 2015-01-09 18:28 · Score: 5, Informative

If you had been paying attention you'd know that OpenSSL gets bugs reported, LibreSSL fixes them while OpenSSL stands around with their collective dick in their hands.
Go easy on the OpenSSL guys ! by slincolne · 2015-01-09 18:38 · Score: 4, Interesting

The beauty of Open Source is that when issues like this are discovered, they are dealt with.
With a closed source product you basically have to trust the vendor to get it right, and to patch defects in a timely manner.
OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.
I just wish that the big players who use this in their products would support the developers - and make it a better outcome for all of us who rely on this product.
1. Re:Go easy on the OpenSSL guys ! by maestroX · 2015-01-09 22:07 · Score: 2
  
  OpenSSL is a classic demonstration of two of the truths of computer programming - namely that good cryptography is HARD.
  
  #2: write readable and maintainable code.
2. Re:Go easy on the OpenSSL guys ! by Lennie · 2015-01-09 23:26 · Score: 1
  
  I think this is a good sign for a differerent reason.
  We all know OpenSSL could be a lot better. Supposedly they got more funding.
  If they are busy finding and fixing bugs that's could be a good thing.
  
  --
  New things are always on the horizon
3. Re:Go easy on the OpenSSL guys ! by Anonymous Coward · 2015-01-09 23:31 · Score: 1, Insightful
  
  OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.
  Or possibly that people who are good at cryptography aren't necessarily very good at programming.
  Many of the bugs has nothing to do with cryptography but are the result of bad programming practices in general.
4. Re:Go easy on the OpenSSL guys ! by phantomfive · 2015-01-10 06:16 · Score: 2
  
  OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.
  OpenSSL is a mess that demonstrates nothing of the sort. Cryptography is hard but openSSL lost before getting to that point by having horrid coding practices.
  
  If you want to have a clear understanding of how bad it is, the OpenBSD team is live blogging the mess as they clean it up. In short, OpenSSL was not written by a responsible (or entirely competent) dev team.
  
  --
  "First they came for the slanderers and i said nothing."
What? by ArchieBunker · 2015-01-09 18:57 · Score: 1

OpenSSL had crippling bugs for years until heartbleed. Tens of thousands of people spoke of the virtue of open source and "many eyes" but apparently the author was the only one reading the source.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:What? by Barsteward · 2015-01-10 01:52 · Score: 1
  
  so why weren't you reading the source? its there for you to do so...
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
2. Re:What? by Barsteward · 2015-01-10 05:12 · Score: 1
  
  aaahh.. a non-user with an opinion. not being a programmer doesn't stop you from reading and learning. OSS is for everyone but being a sideline whining smartass is frowned upon.
  
  --
  "The hands that help are better far than lips that pray." - Robert Ingersoll (1833-1899)
3. Re:What? by phantomfive · 2015-01-10 12:39 · Score: 1
  
  That level of programmer isn't all that common, especially for software as complicated as most security software is.
  You don't have to be a genius to spot bugs in openSSL. Even a non-professional programmer could look at it and say, "Yeah, that stuff is bad."
  
  --
  "First they came for the slanderers and i said nothing."
4. Re:What? by Shados · 2015-01-10 13:16 · Score: 1
  
  Because I'm too busy "reading the source" and fixing shit in a bunch of other projects. One person can only do so much.
5. Re:What? by kmoser · 2015-01-11 07:34 · Score: 1
  
  It's one thing to find a bug. It's another thing to fix the bug, let alone know that you've definitively fixed it and not introduced other bugs.
6. Re:What? by phantomfive · 2015-01-11 07:39 · Score: 1
  
  Thanks for clarifying that.
  
  --
  "First they came for the slanderers and i said nothing."
Re:Time to switch to LibreSSL by Anonymous Coward · 2015-01-09 19:39 · Score: 1

Agree..
I'm all for security fixes.. but seriously, when are they going to look for some serious flaws and fix those, rather than pretend they're doing above and beyond by "fixing tens of vulnerabilities!!!" that are merely low severity ?
I really hope LibreSSL [libressl.org] takes over some day, including the corporate market, with FIPS and other compliance too.
Re:OpenSSL must fucking die by itzly · 2015-01-09 21:22 · Score: 1

Show us the code!
You must have missed the link.
Correction by wonkey_monkey · 2015-01-09 23:33 · Score: 1

OpenSSL patches eight old vulnerabilities
FTFY. They are newly discovered, but not new.

--
systemd is Roko's Basilisk.
Re:OpenSSL must fucking die by ruir · 2015-01-09 23:36 · Score: 4, Insightful

That bunch of monkeys have do something better than most, they have given their free time for the project, they have advanced our knowledge of security, they have built a product use by a myriad of OS and vendors for almost 2 decades FOR FREE. Much more than some smuck than comes here ranting, and the idiots that mod him informative.
Fork OpenSSL to OpenTLS by Morris+von+Habsburg · 2015-01-10 03:24 · Score: 2

I feel it would make most sense if they plan for the abolishing of OpenSSL in favor of a new library called OpenTLS.
Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future. For instance, don’t copy SSL or TLS 1.0 to the new fork. Nobody should be using SSL anyway so it can easily stay out of the new OpenTLS.
The new OpenTLS library can then be cleaned up and strenghtened without causing too much harm to users of legacy OpenSSL, although some things could be backported from OpenTLS to OpenSSL.
Anyone starting a new project would obviously opt for OpenTLS and would stay clear of legacy OpenSSL and slowly but surely the use of legacy OpenSSL would diminish in favor of the brave new OpenTLS.
1. Re:Fork OpenSSL to OpenTLS by Anonymous Coward · 2015-01-10 04:49 · Score: 1
  
  I think the LibreSSL people have shown that any such project should probably be restarted from scratch.
  Overall, my experience with dealing with various libraries is that what someone really needs is to write a library that basically wraps connect() accept() write() read() and close() so that people can just do SSL without needing a billion steps that are poorly documented and trivial to completely fuck up.
  While I'm begging, I'd also like someone to make a modern SSL cert tool that handles all the fancy shit from the 90's like Subject Alternative Names without having to use obtuse configuration files (what's that, you manage certs for several different domains and have to completely rewrite your configuration file for each of them just to get the SAN list right and if you forget your certificates are all fucked up?). Bonus points if you make the program noob-friendly by changing the prompts to match what people are trying to do ("Common Name (e.g. server FQDN or YOUR name)" - in what situation is my name EVER appropriate here?) so people don't have to look up a tutorial just to figure out basic operation.
2. Re:Fork OpenSSL to OpenTLS by phantomfive · 2015-01-10 06:25 · Score: 3, Insightful
  
  Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future.
  
  It's a fine idea but it wouldn't help you because the problem isn't the algorithm, the problem is the code. OpenSSL is known to have bugs in its TLS code, too. The problems here start even before getting to the algorithm.
  
  --
  "First they came for the slanderers and i said nothing."
3. Re:Fork OpenSSL to OpenTLS by greg1104 · 2015-01-10 07:24 · Score: 3, Informative
  
  Been tried already; see gnutls. We tried to switch from OpenSSL to gnutls as the preferred SSL library for PostgreSQL a few years back, even got some press coverage documenting the whole thing. But, sadly, OpenSSL has too many quirky APIs to make a transition away from it easy. And anyone who tries to be "bug compatible" creating a replacement to that mess is going to inherit some of the same bad design that needs to be burned with fire.
4. Re:Fork OpenSSL to OpenTLS by phoenix_rizzen · 2015-01-12 04:56 · Score: 1
  
  Uhm, it's already been done: libressl
Comment removed by account_deleted · 2015-01-10 03:48 · Score: 1

Comment removed based on user account deletion
Re:Time to switch to LibreSSL by Anonymous Coward · 2015-01-10 04:54 · Score: 2, Informative

Because all commits have to be approved by the top team; Who, again, stand around with their dicks in their hands. Doesn't matter how fast you are to help them, but until one approves it, it isn't fixed.
Re:OpenSSL must fucking die by phantomfive · 2015-01-10 06:21 · Score: 1

uses html4-ish concepts from the 90's
The internet was a better place then, man.

--
"First they came for the slanderers and i said nothing."
Re:Time to switch to LibreSSL by Anonymous Coward · 2015-01-10 07:25 · Score: 1

OpenSSL had submitted patches that fixed security bugs that they sat on for years. They were just too lazy to apply the patches. It wasn't until the spot light hit that they wanted to pretend to care.