Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Patches Eight New Vulnerabilities

Posted by Soulskill on from the getting-ahead-in-the-game dept.

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.

11 of 79 comments (clear)

  1. Sick of this by Anonymous Coward · · Score: 3, Insightful

    LibreSSL can't come soon enough.

    1. Re:Sick of this by Anonymous Coward · · Score: 5, Informative

      Of course it did, it is a fork (copy) of OpenSSL.

      However, one or two of the issues were fixed in LibreSSL back in May, before being discovered in OpenSSL.
      They were fixed as part of the general code quality improvement, and cleaning up the error handling and memory management.

      https://twitter.com/bob_beck/status/553233391164743682

  2. Re:Time to switch to LibreSSL by Anonymous Coward · · Score: 5, Informative

    If you had been paying attention you'd know that OpenSSL gets bugs reported, LibreSSL fixes them while OpenSSL stands around with their collective dick in their hands.

  3. Go easy on the OpenSSL guys ! by slincolne · · Score: 4, Interesting
    The beauty of Open Source is that when issues like this are discovered, they are dealt with.

    With a closed source product you basically have to trust the vendor to get it right, and to patch defects in a timely manner.

    OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

    I just wish that the big players who use this in their products would support the developers - and make it a better outcome for all of us who rely on this product.

    1. Re:Go easy on the OpenSSL guys ! by maestroX · · Score: 2

      OpenSSL is a classic demonstration of two of the truths of computer programming - namely that good cryptography is HARD.

      #2: write readable and maintainable code.

    2. Re:Go easy on the OpenSSL guys ! by phantomfive · · Score: 2

      OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

      OpenSSL is a mess that demonstrates nothing of the sort. Cryptography is hard but openSSL lost before getting to that point by having horrid coding practices.

      If you want to have a clear understanding of how bad it is, the OpenBSD team is live blogging the mess as they clean it up. In short, OpenSSL was not written by a responsible (or entirely competent) dev team.

      --
      "First they came for the slanderers and i said nothing."
  4. Re:OpenSSL must fucking die by ruir · · Score: 4, Insightful

    That bunch of monkeys have do something better than most, they have given their free time for the project, they have advanced our knowledge of security, they have built a product use by a myriad of OS and vendors for almost 2 decades FOR FREE. Much more than some smuck than comes here ranting, and the idiots that mod him informative.

  5. Fork OpenSSL to OpenTLS by Morris+von+Habsburg · · Score: 2

    I feel it would make most sense if they plan for the abolishing of OpenSSL in favor of a new library called OpenTLS.

    Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future. For instance, don’t copy SSL or TLS 1.0 to the new fork. Nobody should be using SSL anyway so it can easily stay out of the new OpenTLS.

    The new OpenTLS library can then be cleaned up and strenghtened without causing too much harm to users of legacy OpenSSL, although some things could be backported from OpenTLS to OpenSSL.

    Anyone starting a new project would obviously opt for OpenTLS and would stay clear of legacy OpenSSL and slowly but surely the use of legacy OpenSSL would diminish in favor of the brave new OpenTLS.

    1. Re:Fork OpenSSL to OpenTLS by phantomfive · · Score: 3, Insightful

      Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future.

      It's a fine idea but it wouldn't help you because the problem isn't the algorithm, the problem is the code. OpenSSL is known to have bugs in its TLS code, too. The problems here start even before getting to the algorithm.

      --
      "First they came for the slanderers and i said nothing."
    2. Re:Fork OpenSSL to OpenTLS by greg1104 · · Score: 3, Informative

      Been tried already; see gnutls. We tried to switch from OpenSSL to gnutls as the preferred SSL library for PostgreSQL a few years back, even got some press coverage documenting the whole thing. But, sadly, OpenSSL has too many quirky APIs to make a transition away from it easy. And anyone who tries to be "bug compatible" creating a replacement to that mess is going to inherit some of the same bad design that needs to be burned with fire.

  6. Re:Time to switch to LibreSSL by Anonymous Coward · · Score: 2, Informative

    Because all commits have to be approved by the top team; Who, again, stand around with their dicks in their hands. Doesn't matter how fast you are to help them, but until one approves it, it isn't fixed.