OpenSSL Security Update Less Critical Than Expected, Still Recommended

An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.

Re:Open sores, lol

And another one in closed source? Your point?

Name one library package that is used as much as openssl that is closed source.

Just another reminder to use LibreSSL

For those unaware, the OpenBSD team forked OpenSSL a while back and started a huge cleanup of ugly existing codebase. Their project is named LibreSSL, and is available here: https://github.com/libressl-portable/portable

So how did they do?

CVEs that don't effect LibreSSL:
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
Base64 decode (CVE-2015-0292) - Severity: Moderate
Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
CVEs that effect LibreSSL:
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) - Severity: Low
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) - Severity: Low

So LibreSSL had already avoided 9 of these issues as a result of their code cleanup. This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.

Sources:

https://marc.info/?l=openbsd-announce&m=142677546015662
https://www.reddit.com/r/openbsd/comments/2zl6y4/no_highseverity_issues_from_openssl_were_present/

Re:Just another reminder to use LibreSSL

[Noryungi]

Yup, I have the feeling that LibreSSL is going to replace OpenSSL like OpenSSH replaced SSH as ''the'' standard.

The fact that both LibreSSL and OpenSSH are OpenBSD project is not a coincidence...

More details on Undeadly.

Re:Just another reminder to use LibreSSL

[petermgreen]

Maybe

With ssh the original project had moved to a propietary license so linux distros that only accepted free software had to go with a fork or stick with a very outdated version. With openssl the original project is still alive. So the developers of linux distros will have to have a big argument over whether the reduced security exposure outweighs the reduced feature set.

Re:Just another reminder to use LibreSSL

[petermgreen]

Theres also a thorny license issue, some projects released under the GPL make a exception for openssl and it's not always clear whether that would apply to forks of openssl.

Re:Just another reminder to use LibreSSL

[Noryungi]

AFAIK, OpenSSL is Apache Licensed and LibreSSL is, well... BSD-Licensed.

If you accept an Apache-style license, I really don't see why LibreSSL's BSD is a problem.

You had a better argument when it came to the fact that OpenSSL is still active. Or, at least, that there is activity in the project, including some projects to audit the whole thing.

Re:Just another reminder to use LibreSSL

[MSG]

No, OpenSSL is not Apache licensed. It has its own license, similar to BSD-with-attribution license. And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.

It's also why Red Hat started work to standardize on Mozilla's NSS as the one true SSL library. However, I'm not sure what the status of that project is.

Re:Just another reminder to use LibreSSL

[WaffleMonster]

So LibreSSL had already avoided 9 of these issues as a result of their code cleanup.

5 of them at least a result of forking before relevant code/feature existed.

CVE-2015-0208, CVE-2015-0207, CVE-2015-0290, CVE-2015-0285 and CVE-2015-0291

This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.

I think having other forks and more people working a project is ultimately great for everyone. The tit-for-tat elitism and misleading hyperbole is not productive.

Re:Just another reminder to use LibreSSL

[Burz]

That is not such a big difference, considering most installations are still using OpenSSL (more eyes...).

LibreSSL is still valued for their efforts, but they and most of the IT community waited until a major crisis occurred before taking action. Now that OpenSSL has been in the spotlight and finally received decent funding to do their own reviews and cleanup, I'm not sure where that leaves LibreSSL.

Re:Just another reminder to use LibreSSL

[slashdice]

The libressl fork was 11 months ago. They managed to add 5 (at a minimum) critical vulnerabilities in the past 11 months? Jeezus fucking christ.

When you're in a hole, stop digging.

Re:Just another reminder to use LibreSSL

[WaffleMonster]

The libressl fork was 11 months ago. They managed to add 5 (at a minimum) critical vulnerabilities in the past 11 months?

Probably a *lot* more than that. These are only bugs having been caught thus far.

Jeezus fucking christ.

OpenSSL is currently offering and maintaining four separate release trains for download from the bleeding edge to ancient versions lacking TLS 1.1/1.2 support.

Hard to get excited about DOS/crash shit limited to a new immature branch only a dufus would select for production use... or in other words ...OMFG the sky is falling..

Re:Just another reminder to use LibreSSL

[Bengie]

I thought an "affect" creates a specific "effect". I like pixels shaders that affect the graphics by creating a shiny graphical effect.

Re:Just another reminder to use LibreSSL

[Elessar]

This is not a fair comparison.

LibreSSL forked OpenSSL 1.0.1. Therefore LibreSSL would never have been vulnerable to issues that did not affect 1.0.1 - since those arose after the codebases split. A fairer comparison would be to compare issues that affected OpenSSL 1.0.1 with LibreSSL. You also should not include CVE-2015-0204 since that is just a reclassification of a previously fixed defect. Simillarly CVE-2015-0292 was a historic issue not in recent versions of OpenSSL so also should not be included. By the time you remove all of those you get down to one issue that affected OpenSSL but not LibreSSL:

DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate

This issue also did not affect the current development version of OpenSSL only historic versions due to clean ups the OpenSSL team have been doing.

Re:Just another reminder to use LibreSSL

[petermgreen]

And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.

Exactly and in most cases the exception says "openssl". Does a slightly patched version from a distro still count as "openssl"? Does a forked and renamed version with substantial changes still count as "openssl"?

Re:Open sores, lol

[hyperar]

Watch out guys, i think we have an apple boy here.

Re:Open sores, lol

[EmeraldBot]

Another day, another security hole in open sores software.

No, I don't use Micro$hit software either.

Are you kidding me? There's holes in open source software, there's holes in closed source software, there's holes in every piece of software. What else is new? There's no need to degenerate to terms like "Micro$hit" or "open sores". It doesn't make you sound witty, it makes you sound like someone 16 years of age, and it's embarrassing to see this on a site that is supposedly for adults. The sooner all this pathetic name calling stops, the sooner we can actually discuss the core issue at hand. Assuming, of course, that you even understand what the hell the article is talking about, and I'm not entirely sure either of you do.

Re:Open sores, lol

[EmeraldBot]

But it did make you butthurt enough to respond to me. :-)

Let's be very clear on something here: I honestly don't give one damn about you. The reason why I responded is that I hoped to warn you how stupid you sound when you say that, so that you won't be ridiculed for talking like a first grader. But if that's how you feel about it, if you really think anyone except that other AC gives one flying fuck's worth, go ahead. Make a fool of yourself.

Re: Open sores, lol

He runs systemd, the premiere open source OS.

Re:Open sores, lol

[mean+pun]

You're very vividly demonstrating why you should not feed the trolls.

Re:And Red Hat doesn't have a fix out yet!

[Burz]

I'm guessing Fedora will have it in about 5-10 days, during which time about three 100MB Libre Office updates will already have been posted to their mirrors.

Re:Who Cares, No One Uses It Anyway!

[armanox]

Except this "fringe" software is one of the widest used pieces of software out there.

Re:Open sores, lol

[kthreadd]

If you can't give it to anyone else then it's absolutely not open source. Free redistribution is even the first criteria in the Open Source Definition, which most people, organizations and governments use when defining open source. Simplifying open source to mean just that I can look at the source code therefore it's open source is taking away the very thing that is the core of what open source is.

Re:Open sores, lol

[BronsCon]

Why is that? Maybe he enjoys stringing them along the same way they enjoy stringing him along? Nothing wrong with a good ol' circle jerk between anonymous men on the internet, eh?