Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSL Security Update Less Critical Than Expected, Still Recommended

Posted by timothy on from the man-nips-dog dept.

An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.

2 of 64 comments (clear)

  1. Just another reminder to use LibreSSL by Anonymous Coward · · Score: 5, Informative

    For those unaware, the OpenBSD team forked OpenSSL a while back and started a huge cleanup of ugly existing codebase. Their project is named LibreSSL, and is available here: https://github.com/libressl-portable/portable

    So how did they do?

    CVEs that don't effect LibreSSL:
    OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
    Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
    Base64 decode (CVE-2015-0292) - Severity: Moderate
    Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
    Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
    Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
    DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
    Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
    Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
    CVEs that effect LibreSSL:
    Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
    ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
    PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
    Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) - Severity: Low
    X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) - Severity: Low

    So LibreSSL had already avoided 9 of these issues as a result of their code cleanup. This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.

    Sources:

    https://marc.info/?l=openbsd-announce&m=142677546015662
    https://www.reddit.com/r/openbsd/comments/2zl6y4/no_highseverity_issues_from_openssl_were_present/

    1. Re:Just another reminder to use LibreSSL by MSG · · Score: 3, Informative

      No, OpenSSL is not Apache licensed. It has its own license, similar to BSD-with-attribution license. And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.

      It's also why Red Hat started work to standardize on Mozilla's NSS as the one true SSL library. However, I'm not sure what the status of that project is.