Slashdot Mirror
OpenSSL Security Update Less Critical Than Expected, Still Recommended
An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.
Ever heard of Patch Tuesday? Noob.
And another one in closed source? Your point?
Name one library package that is used as much as openssl that is closed source.
MFC.
They're leaving their customers out to dry. They're getting more and more like Microsoft every year.
No, I don't use Micro$hit software either.
For those unaware, the OpenBSD team forked OpenSSL a while back and started a huge cleanup of ugly existing codebase. Their project is named LibreSSL, and is available here: https://github.com/libressl-portable/portable
So how did they do?
CVEs that don't effect LibreSSL:
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
Base64 decode (CVE-2015-0292) - Severity: Moderate
Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
CVEs that effect LibreSSL:
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) - Severity: Low
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) - Severity: Low
So LibreSSL had already avoided 9 of these issues as a result of their code cleanup. This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.
Sources:
https://marc.info/?l=openbsd-announce&m=142677546015662
https://www.reddit.com/r/openbsd/comments/2zl6y4/no_highseverity_issues_from_openssl_were_present/
Look on your the CD you will see the source code right there. Is it libre software? Not so much. But you are free to look at the code.
Watch out guys, i think we have an apple boy here.
Header files are not source code.
Another day, another security hole in open sores software.
No, I don't use Micro$hit software either.
Are you kidding me? There's holes in open source software, there's holes in closed source software, there's holes in every piece of software. What else is new? There's no need to degenerate to terms like "Micro$hit" or "open sores". It doesn't make you sound witty, it makes you sound like someone 16 years of age, and it's embarrassing to see this on a site that is supposedly for adults. The sooner all this pathetic name calling stops, the sooner we can actually discuss the core issue at hand. Assuming, of course, that you even understand what the hell the article is talking about, and I'm not entirely sure either of you do.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
The .cpp files are there. Keep looking. It even ASKS you to install it when you are installing visual studio.
https://msdn.microsoft.com/en-us/library/bs046sh0.aspx
http://cboard.cprogramming.com/windows-programming/65644-latest-platform-sdk-includes-mfc-4-2-source-code.html
It has been bundled along with the C++ compiler since it was microsoft visual C++ 1.52. Probably earlier as that is as far back as I go and used MFC.
But it did make you butthurt enough to respond to me. :-)
Let's be very clear on something here: I honestly don't give one damn about you. The reason why I responded is that I hoped to warn you how stupid you sound when you say that, so that you won't be ridiculed for talking like a first grader. But if that's how you feel about it, if you really think anyone except that other AC gives one flying fuck's worth, go ahead. Make a fool of yourself.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
Then what OS do you run? OS/2?
He runs systemd, the premiere open source OS.
Been here since 2005 & heard nothing but "OpenSORES = Secure, Closed Source != Secure" though. See subject. Eat your words, fools. You've lost what LITTLE credibility you had since your deceits here have failed you, and ANDROID of all things proves it most (since nobody used Linux for example by comparison to Windows on PCs & Servers combined).
Hahahaha that's exactly what they did too (it's all they've got vs. truth).
You're very vividly demonstrating why you should not feed the trolls.
I run whatever I feel like.
They can't handle truth here! Downmod hiding your post proves it.
No but I know you hang out on Felching Friday at a gay bar.
Still closed source! Open source != just can see the source code.
Except this "fringe" software is one of the widest used pieces of software out there.
I'm starting to think GNU is the problem with "GNU/Linux" these days.
I can compile the code. It comes WITH the makefiles and project files. MS even encouraged you to do so at one point to fix things or change things. You just could not give it to anyone else or put it in the system directory. But you could put the resulting binary into your directory alongside your exe and even distribute it.
It is a very limited open source.
If I wanted to extend their library it was fairly easy to do. I bought and made several myself over the years. Because I had access to the code. I can count on one hand the number of times I had to compile it up myself. That was usually because i was waiting on them to fix some bug and their engineers would tell me to do so and put it in writing that it was ok to do. It was sort of the point of the library. To extend it not change it. That is what C++ was about.
Do you even know what security by obscurity means? Clearly not.
If you can't give it to anyone else then it's absolutely not open source. Free redistribution is even the first criteria in the Open Source Definition, which most people, organizations and governments use when defining open source. Simplifying open source to mean just that I can look at the source code therefore it's open source is taking away the very thing that is the core of what open source is.
Why is that? Maybe he enjoys stringing them along the same way they enjoy stringing him along? Nothing wrong with a good ol' circle jerk between anonymous men on the internet, eh?
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
Which just happens to be TrollOS right now.
I run whatever I feel like.
Syphilis Fever it is then!