OpenSSL Security Update Less Critical Than Expected, Still Recommended

← Back to Stories (view on slashdot.org)

OpenSSL Security Update Less Critical Than Expected, Still Recommended

Posted by timothy on Thursday March 19, 2015 @04:26AM from the man-nips-dog dept.

An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.

64 comments

Min score:

Reason:

Sort:

Open sores, lol by Anonymous Coward · 2015-03-19 04:28 · Score: -1

Another day, another security hole in open sores software.
1. Re:Open sores, lol by Anonymous Coward · 2015-03-19 04:41 · Score: 0, Flamebait
  
  Ever heard of Patch Tuesday? Noob.
2. Re:Open sores, lol by Anonymous Coward · 2015-03-19 04:44 · Score: 1
  
  And another one in closed source? Your point?
  Name one library package that is used as much as openssl that is closed source.
3. Re:Open sores, lol by Anonymous Coward · 2015-03-19 04:48 · Score: 0
  
  MFC.
4. Re:Open sores, lol by Anonymous Coward · 2015-03-19 04:55 · Score: 0
  
  No, I don't use Micro$hit software either.
5. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:02 · Score: -1
  
  You're ghey
6. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:05 · Score: 0
  
  Look on your the CD you will see the source code right there. Is it libre software? Not so much. But you are free to look at the code.
7. Re:Open sores, lol by hyperar · 2015-03-19 05:12 · Score: 1
  
  Watch out guys, i think we have an apple boy here.
8. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:17 · Score: 0
  
  Header files are not source code.
9. Re:Open sores, lol by EmeraldBot · 2015-03-19 05:18 · Score: 3, Insightful
  
  Another day, another security hole in open sores software.
  
  No, I don't use Micro$hit software either.
  Are you kidding me? There's holes in open source software, there's holes in closed source software, there's holes in every piece of software. What else is new? There's no need to degenerate to terms like "Micro$hit" or "open sores". It doesn't make you sound witty, it makes you sound like someone 16 years of age, and it's embarrassing to see this on a site that is supposedly for adults. The sooner all this pathetic name calling stops, the sooner we can actually discuss the core issue at hand. Assuming, of course, that you even understand what the hell the article is talking about, and I'm not entirely sure either of you do.
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
10. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:20 · Score: -1
  
  LOL no. I'm not a fudge packer. Plus their shit uses open sores software, too.
11. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:21 · Score: -1
  
  But it did make you butthurt enough to respond to me. :-)
12. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:27 · Score: 0
  
  The .cpp files are there. Keep looking. It even ASKS you to install it when you are installing visual studio.
  https://msdn.microsoft.com/en-us/library/bs046sh0.aspx
  http://cboard.cprogramming.com/windows-programming/65644-latest-platform-sdk-includes-mfc-4-2-source-code.html
  It has been bundled along with the C++ compiler since it was microsoft visual C++ 1.52. Probably earlier as that is as far back as I go and used MFC.
13. Re:Open sores, lol by EmeraldBot · 2015-03-19 05:31 · Score: 1
  
  But it did make you butthurt enough to respond to me. :-)
  Let's be very clear on something here: I honestly don't give one damn about you. The reason why I responded is that I hoped to warn you how stupid you sound when you say that, so that you won't be ridiculed for talking like a first grader. But if that's how you feel about it, if you really think anyone except that other AC gives one flying fuck's worth, go ahead. Make a fool of yourself.
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
14. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:35 · Score: -1
  
  Yeah, you care so little about me that you've responded to two of my posts with butthurt-filled invective. Cry moar, brah.
15. Re: Open sores, lol by Anonymous Coward · 2015-03-19 05:41 · Score: 0
  
  Then what OS do you run? OS/2?
16. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:42 · Score: -1
  
  OpenSORES = security by obscurity, noob http://tech.slashdot.org/comme... and that's even falling apart after YEARS of utter BULLSHIT spouted here on /. after seeing all the security holes popping up and years of "Linux = Secure, Windows != Secure" crap spewed on this site and others like it. You've all shot yourselves down with your own years of crap. Live with it. You've lost what little credibility you may have had (which wasn't much, as nobody used your shit in comparison to windows on PCs & servers combined where MS rules and will continue to do so, probably forever - MS should thank you fools actually imo).
17. Re: Open sores, lol by Anonymous Coward · 2015-03-19 05:43 · Score: 2, Funny
  
  He runs systemd, the premiere open source OS.
18. Re:Open sores, lol by mean+pun · 2015-03-19 05:50 · Score: 1
  
  You're very vividly demonstrating why you should not feed the trolls.
19. Re: Open sores, lol by Anonymous Coward · 2015-03-19 05:50 · Score: 0
  
  I run whatever I feel like.
20. Re:Open sores, lol by Anonymous Coward · 2015-03-19 05:59 · Score: 0
  
  They can't handle truth here! Downmod hiding your post proves it.
21. Re:Open sores, lol by Anonymous Coward · 2015-03-19 06:14 · Score: 0
  
  No but I know you hang out on Felching Friday at a gay bar.
22. Re:Open sores, lol by Anonymous Coward · 2015-03-19 06:41 · Score: 0
  
  Still closed source! Open source != just can see the source code.
23. Re:Open sores, lol by Anonymous Coward · 2015-03-19 08:00 · Score: 0
  
  I can compile the code. It comes WITH the makefiles and project files. MS even encouraged you to do so at one point to fix things or change things. You just could not give it to anyone else or put it in the system directory. But you could put the resulting binary into your directory alongside your exe and even distribute it.
  It is a very limited open source.
  If I wanted to extend their library it was fairly easy to do. I bought and made several myself over the years. Because I had access to the code. I can count on one hand the number of times I had to compile it up myself. That was usually because i was waiting on them to fix some bug and their engineers would tell me to do so and put it in writing that it was ok to do. It was sort of the point of the library. To extend it not change it. That is what C++ was about.
24. Re:Open sores, lol by kthreadd · 2015-03-19 09:48 · Score: 1
  
  If you can't give it to anyone else then it's absolutely not open source. Free redistribution is even the first criteria in the Open Source Definition, which most people, organizations and governments use when defining open source. Simplifying open source to mean just that I can look at the source code therefore it's open source is taking away the very thing that is the core of what open source is.
25. Re:Open sores, lol by BronsCon · 2015-03-19 15:03 · Score: 1
  
  Why is that? Maybe he enjoys stringing them along the same way they enjoy stringing him along? Nothing wrong with a good ol' circle jerk between anonymous men on the internet, eh?
  
  --
  APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
26. Re: Open sores, lol by Anonymous Coward · 2015-03-20 02:39 · Score: 0
  
  Which just happens to be TrollOS right now.
27. Re: Open sores, lol by Anonymous Coward · 2015-03-21 09:50 · Score: 0
  
  I run whatever I feel like.
  Syphilis Fever it is then!
Who Cares, No One Uses It Anyway! by Anonymous Coward · 2015-03-19 04:32 · Score: -1, Flamebait

Thank god I run Windows and don't have to deal with this linux crap. I just need Windows and then it's all provided for me on the web: Facebook, Youtube & Gmail. No reason to install unsafe software like "OpenSSL" and leave yourself vulnerable like some n00b. Oh, and I'm not stupid, I download Chrome because it's better than IE, I know. God, why do you clog up my news with this nonsense about some fringe software that only the neckbeards are stupid enough to install?
1. Re:Who Cares, No One Uses It Anyway! by Anonymous Coward · 2015-03-19 04:36 · Score: -1
  
  +5 insightful. Linux and open source software should be made illegal due to all their security issues.
2. Re:Who Cares, No One Uses It Anyway! by Anonymous Coward · 2015-03-19 04:44 · Score: -1
  
  Patch Tuesday, n00b.
3. Re:Who Cares, No One Uses It Anyway! by Anonymous Coward · 2015-03-19 05:37 · Score: -1
  
  OpenSORES = security by obscurity, noob http://tech.slashdot.org/comme...
4. Re:Who Cares, No One Uses It Anyway! by armanox · 2015-03-19 07:33 · Score: 1
  
  Except this "fringe" software is one of the widest used pieces of software out there.
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
5. Re:Who Cares, No One Uses It Anyway! by Anonymous Coward · 2015-03-19 09:11 · Score: 0
  
  Do you even know what security by obscurity means? Clearly not.
And Red Hat doesn't have a fix out yet! by Anonymous Coward · 2015-03-19 04:54 · Score: 0

They're leaving their customers out to dry. They're getting more and more like Microsoft every year.
1. Re:And Red Hat doesn't have a fix out yet! by Burz · 2015-03-19 07:32 · Score: 1
  
  I'm guessing Fedora will have it in about 5-10 days, during which time about three 100MB Libre Office updates will already have been posted to their mirrors.
2. Re:And Red Hat doesn't have a fix out yet! by Anonymous Coward · 2015-03-19 08:01 · Score: 0
  
  And nineteen updates to Atom that are 45 Megabytes each. I swear that text editor is just a scam by a company that sells bandwidth.
Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 04:56 · Score: 5, Informative

For those unaware, the OpenBSD team forked OpenSSL a while back and started a huge cleanup of ugly existing codebase. Their project is named LibreSSL, and is available here: https://github.com/libressl-portable/portable
So how did they do?
CVEs that don't effect LibreSSL:
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
Base64 decode (CVE-2015-0292) - Severity: Moderate
Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
CVEs that effect LibreSSL:
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) - Severity: Low
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) - Severity: Low
So LibreSSL had already avoided 9 of these issues as a result of their code cleanup. This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.
Sources:
https://marc.info/?l=openbsd-announce&m=142677546015662
https://www.reddit.com/r/openbsd/comments/2zl6y4/no_highseverity_issues_from_openssl_were_present/
1. Re:Just another reminder to use LibreSSL by Noryungi · 2015-03-19 05:03 · Score: 2
  
  Yup, I have the feeling that LibreSSL is going to replace OpenSSL like OpenSSH replaced SSH as ''the'' standard.
  The fact that both LibreSSL and OpenSSH are OpenBSD project is not a coincidence...
  More details on Undeadly.
  
  --
  The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
2. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 05:04 · Score: 0
  
  See, the trouble with swapping 'affect' and 'effect' is that the first means to alter, while the second means to cause to happen.
  You should use LibreSSL, therefore you would want to effect its installation. However, you want to avoid CVE's which affect its operation. Swapping those two words makes a mess of your lists.
3. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 05:07 · Score: 0
  
  Addendum: there is a third word, affect, another verb, meaning to pretend to be or have something, but it's pronounced differently.
  Don'tcha love you some English?
4. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 05:09 · Score: -1
  
  I am very sorry about that poor editing. I didn't catch those mistakes until 10 seconds after I hit post, and now I can't edit it. Nothing I can do now but look like an idiot.
5. Re:Just another reminder to use LibreSSL by petermgreen · 2015-03-19 05:32 · Score: 2
  
  Maybe
  With ssh the original project had moved to a propietary license so linux distros that only accepted free software had to go with a fork or stick with a very outdated version. With openssl the original project is still alive. So the developers of linux distros will have to have a big argument over whether the reduced security exposure outweighs the reduced feature set.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
6. Re:Just another reminder to use LibreSSL by petermgreen · 2015-03-19 05:46 · Score: 1
  
  Theres also a thorny license issue, some projects released under the GPL make a exception for openssl and it's not always clear whether that would apply to forks of openssl.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
7. Re:Just another reminder to use LibreSSL by Noryungi · 2015-03-19 05:54 · Score: 1
  
  AFAIK, OpenSSL is Apache Licensed and LibreSSL is, well... BSD-Licensed.
  If you accept an Apache-style license, I really don't see why LibreSSL's BSD is a problem.
  You had a better argument when it came to the fact that OpenSSL is still active. Or, at least, that there is activity in the project, including some projects to audit the whole thing.
  
  --
  The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
8. Re:Just another reminder to use LibreSSL by MSG · 2015-03-19 06:19 · Score: 3, Informative
  
  No, OpenSSL is not Apache licensed. It has its own license, similar to BSD-with-attribution license. And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.
  It's also why Red Hat started work to standardize on Mozilla's NSS as the one true SSL library. However, I'm not sure what the status of that project is.
9. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 06:39 · Score: 0
  
  Why don't they contribute their patches to upstream instead of forking?
10. Re:Just another reminder to use LibreSSL by WaffleMonster · 2015-03-19 06:58 · Score: 1
  
  So LibreSSL had already avoided 9 of these issues as a result of their code cleanup.
  5 of them at least a result of forking before relevant code/feature existed.
  CVE-2015-0208, CVE-2015-0207, CVE-2015-0290, CVE-2015-0285 and CVE-2015-0291
  
  This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.
  I think having other forks and more people working a project is ultimately great for everyone. The tit-for-tat elitism and misleading hyperbole is not productive.
11. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 07:17 · Score: 0
  
  That's also one of the main motivations for why the GnuTLS project started. Lesson learned, don't write your own license. Use LGPL mor maximum compatibility.
12. Re:Just another reminder to use LibreSSL by Burz · 2015-03-19 07:40 · Score: 1
  
  That is not such a big difference, considering most installations are still using OpenSSL (more eyes...).
  LibreSSL is still valued for their efforts, but they and most of the IT community waited until a major crisis occurred before taking action. Now that OpenSSL has been in the spotlight and finally received decent funding to do their own reviews and cleanup, I'm not sure where that leaves LibreSSL.
13. Re:Just another reminder to use LibreSSL by slashdice · 2015-03-19 07:40 · Score: 2
  
  The libressl fork was 11 months ago. They managed to add 5 (at a minimum) critical vulnerabilities in the past 11 months? Jeezus fucking christ.
  When you're in a hole, stop digging.
  
  --
  Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
14. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 08:37 · Score: 0
  
  Because OpenSSL isn't even attempting to clean up their code. As someone pointed out below, five of these CVEs relate to new code added to OpenSSL. Security and clean code be damned, we need teh MOAR FEATURE ! !
15. Re:Just another reminder to use LibreSSL by WaffleMonster · 2015-03-19 12:47 · Score: 1
  
  The libressl fork was 11 months ago. They managed to add 5 (at a minimum) critical vulnerabilities in the past 11 months?
  Probably a *lot* more than that. These are only bugs having been caught thus far.
  
  Jeezus fucking christ.
  OpenSSL is currently offering and maintaining four separate release trains for download from the bleeding edge to ancient versions lacking TLS 1.1/1.2 support.
  Hard to get excited about DOS/crash shit limited to a new immature branch only a dufus would select for production use... or in other words ...OMFG the sky is falling..
16. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-19 20:48 · Score: 0
  
  Most of the issues were 1.0.2 only. LibreSSL is based on a 1.0.1 version. They really only fixed two of the issues:
  - Base64 decode (CVE-2015-0292): OpenSSL already released it previously without CVE
  - DoS via reachable assert in SSLv2 servers (CVE-2015-0293): They just removed SSLv2 support while most people have it disabled instead. OpenSSL master has also removed it.
17. Re:Just another reminder to use LibreSSL by Bengie · 2015-03-20 01:47 · Score: 1
  
  I thought an "affect" creates a specific "effect". I like pixels shaders that affect the graphics by creating a shiny graphical effect.
18. Re:Just another reminder to use LibreSSL by Elessar · 2015-03-20 05:44 · Score: 1
  
  This is not a fair comparison.
  LibreSSL forked OpenSSL 1.0.1. Therefore LibreSSL would never have been vulnerable to issues that did not affect 1.0.1 - since those arose after the codebases split. A fairer comparison would be to compare issues that affected OpenSSL 1.0.1 with LibreSSL. You also should not include CVE-2015-0204 since that is just a reclassification of a previously fixed defect. Simillarly CVE-2015-0292 was a historic issue not in recent versions of OpenSSL so also should not be included. By the time you remove all of those you get down to one issue that affected OpenSSL but not LibreSSL:
  DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
  This issue also did not affect the current development version of OpenSSL only historic versions due to clean ups the OpenSSL team have been doing.
19. Re:Just another reminder to use LibreSSL by Anonymous Coward · 2015-03-21 07:40 · Score: 0
  
  I don't get your logic. Why would anyone want to use OpenSSL when they could use LibreSSL instead? There's a reason why they kept the OpenSSL API - so LibreSSL could be a drop-in replacement.
20. Re:Just another reminder to use LibreSSL by petermgreen · 2015-03-22 07:27 · Score: 1
  
  And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.
  Exactly and in most cases the exception says "openssl". Does a slightly patched version from a distro still count as "openssl"? Does a forked and renamed version with substantial changes still count as "openssl"?
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
AMEN TO THAT! by Anonymous Coward · 2015-03-19 05:29 · Score: -1

For years here all you heard was "Linux = Secure, Windows != Secure" & what do we see now? ANDROID (finally a Linux that's KING of a platform) getting torn up faster than MS products ever were in the same timeframe. So much for the bullshitters around here that couldn't make it on the most used platform there is (ms) on PC's & Servers combined vainly *trying* & failing in their "let's futher our personal agendas with bullshit lies" when it's finally shown what the real deal is, and they're all full of CRAP, lmao! Had to laugh. It's truth. Truth always comes out dolts and now you're all wearing egg on your dumb faces for it.
Quick! Downmod the post parent to mine! by Anonymous Coward · 2015-03-19 05:32 · Score: -1

See subject - he told the truth & we Open SORES trolls can't have that! Hide it, quick, with downmods! It's all our kind have when we're exposed in our years of lies and bullshit while we hid behind security by obscurity (not worth attacking on PC desktops since it's never used there).
1. Re:Quick! Downmod the post parent to mine! by Anonymous Coward · 2015-03-19 05:47 · Score: 0
  
  Hahahaha that's exactly what they did too (it's all they've got vs. truth).
Sure that's your story NOW by Anonymous Coward · 2015-03-19 05:45 · Score: 0

Been here since 2005 & heard nothing but "OpenSORES = Secure, Closed Source != Secure" though. See subject. Eat your words, fools. You've lost what LITTLE credibility you had since your deceits here have failed you, and ANDROID of all things proves it most (since nobody used Linux for example by comparison to Windows on PCs & Servers combined).
AMEN TO THAT! by Anonymous Coward · 2015-03-19 05:53 · Score: -1

For years here all you heard was "Linux = Secure, Windows != Secure" & what do we see now? ANDROID (finally a Linux that's KING of a platform) getting torn up faster than MS products ever were in the same timeframe. So much for the bullshitters around here that couldn't make it on the most used platform there is (ms) on PC's & Servers combined vainly *trying* & failing in their "let's futher our personal agendas with bullshit lies" when it's finally shown what the real deal is, and they're all full of CRAP, lmao! Had to laugh. It's truth. Truth always comes out dolts and now you're all wearing egg on your dumb faces for it fools. Before anybody gives me any guff on this, realize that minus modding what I posted before, simple truth, is only proving me right http://tech.slashdot.org/comme... & I didn't even get any guff there. Just a quick downmod to hide the truth of what I wrote and I've been here since 2005 hearing the bs I noted. Too bad it's 10 yrs. later and for the last 8 or so, you've had to eat your words on that note. Truth's like that boys! Try it sometime vs. the naive bs you all spewed here for years.
huh? by slashdice · 2015-03-19 07:15 · Score: -1, Troll

security updating to libressl is critical. Anybody who doesn't is a moron.

--
Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.