Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Patches Eight New Vulnerabilities

Posted by Soulskill on from the getting-ahead-in-the-game dept.

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.

7 of 79 comments (clear)

  1. Sick of this by Anonymous Coward · · Score: 3, Insightful

    LibreSSL can't come soon enough.

    1. Re:Sick of this by Anonymous Coward · · Score: 5, Informative

      Of course it did, it is a fork (copy) of OpenSSL.

      However, one or two of the issues were fixed in LibreSSL back in May, before being discovered in OpenSSL.
      They were fixed as part of the general code quality improvement, and cleaning up the error handling and memory management.

      https://twitter.com/bob_beck/status/553233391164743682

  2. Re:Time to switch to LibreSSL by Anonymous Coward · · Score: 5, Informative

    If you had been paying attention you'd know that OpenSSL gets bugs reported, LibreSSL fixes them while OpenSSL stands around with their collective dick in their hands.

  3. Go easy on the OpenSSL guys ! by slincolne · · Score: 4, Interesting
    The beauty of Open Source is that when issues like this are discovered, they are dealt with.

    With a closed source product you basically have to trust the vendor to get it right, and to patch defects in a timely manner.

    OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

    I just wish that the big players who use this in their products would support the developers - and make it a better outcome for all of us who rely on this product.

  4. Re:OpenSSL must fucking die by ruir · · Score: 4, Insightful

    That bunch of monkeys have do something better than most, they have given their free time for the project, they have advanced our knowledge of security, they have built a product use by a myriad of OS and vendors for almost 2 decades FOR FREE. Much more than some smuck than comes here ranting, and the idiots that mod him informative.

  5. Re:Fork OpenSSL to OpenTLS by phantomfive · · Score: 3, Insightful

    Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future.

    It's a fine idea but it wouldn't help you because the problem isn't the algorithm, the problem is the code. OpenSSL is known to have bugs in its TLS code, too. The problems here start even before getting to the algorithm.

    --
    "First they came for the slanderers and i said nothing."
  6. Re:Fork OpenSSL to OpenTLS by greg1104 · · Score: 3, Informative

    Been tried already; see gnutls. We tried to switch from OpenSSL to gnutls as the preferred SSL library for PostgreSQL a few years back, even got some press coverage documenting the whole thing. But, sadly, OpenSSL has too many quirky APIs to make a transition away from it easy. And anyone who tries to be "bug compatible" creating a replacement to that mess is going to inherit some of the same bad design that needs to be burned with fire.