New OpenSSL Security Advisory Announced

← Back to Stories (view on slashdot.org)

New OpenSSL Security Advisory Announced

Posted by samzenpus on Thursday June 11, 2015 @11:00AM from the protect-ya-neck dept.

New submitter eyeareque writes: It's time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Personally I wish that OpenSSL released these in a predictable cadence. Patch Tuesday maybe?

95 comments

Min score:

Reason:

Sort:

And I wish... by Anonymous Coward · 2015-06-11 11:06 · Score: 0, Flamebait

... that OpenSSL burned in hell. Not only it contains code that seems to have been written by retards but, in addition, it exposes the worst API I have ever seen.
1. Re:And I wish... by Anonymous Coward · 2015-06-11 11:56 · Score: 2, Insightful
  
  Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware???
  No, I dont use Windows so those dont affect me. The problems with OpenSSL affect me. Also since this a story about the vulnerabilities in OpenSSL why would we change the topic to Windows?
  
  I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.
  Good for you but this is nothing to do with Linux or Windows, this is about OpenSSL (or do you think OpenSSL is a Linux thing?).
2. Re:And I wish... by Ziest · 2015-06-11 11:56 · Score: 2, Interesting
  
  Your are invited to submit your patches to fix the problems you have found in OpenSSL
  
  --
  Another day closer to redwood heaven
3. Re:And I wish... by Anonymous Coward · 2015-06-11 12:00 · Score: 1
  
  Because if you aren't using OpenSSL, you must be using Windows. I must have imagined GnuTLS, MatrixSSL, MbedTLS, LibreSSL, NSS, Botan, Bouncy castle, wolfSSL, Boring SSL, cryptlib, etc.
4. Re:And I wish... by rstanley · 2015-06-11 12:03 · Score: 0, Troll
  
  And it does not surprise me at all that you completely missed my point, "Anonymous Coward"
5. Re:And I wish... by Ziest · 2015-06-11 12:58 · Score: 1
  
  Thank you for your deep insight into this problem. Now that you have tossed OpenSSL what are you going to be replacing it with.
  
  --
  Another day closer to redwood heaven
6. Re: And I wish... by Anonymous Coward · 2015-06-11 13:08 · Score: 1
  
  Plus I use openSSL on Windows.
7. Re:And I wish... by Antique+Geekmeister · 2015-06-11 13:14 · Score: 2
  
  LibreSSL for drop-in compatibility? Or gnutls?
8. Re:And I wish... by Anonymous Coward · 2015-06-11 13:48 · Score: 0
  
  I feel like I'm reading my non techie friends' political rantings on facebook. I remember when this used to be the cool part of the internet. Now I'm just like, "Which part was that again?"
9. Re:And I wish... by ToasterMonkey · 2015-06-11 14:34 · Score: 4, Interesting
  
  Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware??? Why doesn't Mickey$oft fix most of these??? They simply refuse!!!
  I will take Linux, Open Source and Free Software any day of the week, and will deal with any flaws that come up. They are usually corrected quite quickly, and in this case, I am sure they spent a lot of time testing to inure all is fixed.
  I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.
  Who, the hell, said anything about Windows OR Linux besides you? OpenSSL runs on everything.
  Do you really think we shouldn't hold OpenSSL, or any open source software to a higher standard, "because Microsoft"?
  . ... are your parents OK with you using the Internet all by yourself?
10. Re:And I wish... by Anonymous Coward · 2015-06-11 14:37 · Score: 0
  
  This is obviously some kid moderating himself.
11. Re:And I wish... by Bengie · 2015-06-11 14:38 · Score: 4, Insightful
  
  I bet you don't like some things the government does. You are invited to run for Senate or President. Because obviously if you don't, you should just shut up and gtfo.
  
  Complaining about open source software is like voting, you're letting your voice be heard but letting the other run the show. Submitting patches is like being a politician, you're the only actually doing the work.
12. Re:And I wish... by rstanley · 2015-06-11 14:39 · Score: 0
  
  Let me see if I have this straight. First you say:
  
  "Not only it contains code that seems to have been written by retards but, in addition, it exposes the worst API I have ever seen."
  
  But later you say:
  
  "People can point out issues even if they are not capable of providing fixes for them. Not everyone is a coder, you elitist asshat."
  
  First you claim to be an expert on source code analysis, but later you admit, or claim NOT to be a programmer! ;^)
  
  ROTFLMAO!!!
13. Re:And I wish... by Anonymous Coward · 2015-06-11 14:51 · Score: 0
  
  XOR anyone? Safe as houses! :)
14. Re:And I wish... by myowntrueself · 2015-06-11 15:08 · Score: 1
  
  Thank you for your deep insight into this problem. Now that you have tossed OpenSSL what are you going to be replacing it with.
  Nothing. We'll overload the fuckers. They are probably throwing away petabytes of encrypted data because, given its context, decrypting it to find out if it happens to be valuable is too much work. If we send everything in the plain they will have to devote billions of man hours of human intelligence to everyones blathering! The NSA etc would be overwhelmed! Genius!
  
  --
  In the free world the media isn't government run; the government is media run.
15. Re:And I wish... by sexconker · 2015-06-11 16:09 · Score: 2
  
  Can one miss a point that isn't there?
16. Re:And I wish... by daveime · 2015-06-11 18:08 · Score: 1
  
  Anything but GNUTLS. I tried that piece of shit a few years ago, and encountered a database corruption bug that just killed your SSL at random intervals without warning and no messages in error_log. Only solution was to delete the database before restarting apache ... a restart by itself didn't fix the db.
17. Re: And I wish... by TheManInTheMoon · 2015-06-11 19:24 · Score: 1
  
  Yes, of course. Just like the man on the stairs. http://en.m.wikipedia.org/wiki...
18. Re:And I wish... by Demonoid-Penguin · 2015-06-11 20:07 · Score: 2
  
  Dear butt-weasel,
  
  People can point out issues even if they are not capable of providing fixes for them.
  They can. Indeed they can. Only the other day I saw a bloke in a dressing gown giving similar suggestions to emergency workers fixing power lines. No doubt they appreciated the insights he offered.Just because a particular field of endeavor requires practitioners years of study and experience shouldn't prohibit the intuitively enhanced from giving directions. I bet the computer repair shop appreciate your directions on how to fix problems - that you don't know how to fix.
  
  Not everyone is a coder, you elitist asshat.
  Forgive me for not recognising the insurmountable barriers that have prevented you from ever learning to program. I now appreciate that not everyone is an uninformed arse-clown, we all have our crosses to bear. Carry on.
19. Re:And I wish... by Demonoid-Penguin · 2015-06-11 20:24 · Score: 1
  
  I bet you don't like some things the government does. You are invited to run for Senate or President. Because obviously if you don't, you should just shut up and gtfo.
  Comprehension eludes you. There's a difference between having the capacity for the moral depravity and incompetence needed to be a politician - and the actual desire to be one. The ability to code, and active participation in OpenSSL seems similar - but what would I know. You certainly have my vote.
  
  Complaining about open source software is like voting, you're letting your voice be heard but letting the other run the show.
  A novel analogy. In what country to do you vote on random web forums? Which Open Source projects use any old web forum for bug tracking?
  
  Submitting patches is like being a politician, you're the only actually doing the work.
  If you'd only mentioned earlier that you were a politician it would have saved us all the trouble of taking anything you say seriously. Not that I think for a minute that you have tickets on yourself. Thanks for your invaluable opinions, unlike voting I actually welcome input from the uninformed - especially those that don't use my code, it's what motivates me to devote so much time to Open Source (and you thought it was because I'm tax payer funded and required to by law - how, um, quaint)
20. Re:And I wish... by drinkypoo · 2015-06-11 22:42 · Score: 2
  
  Who, the hell, said anything about Windows OR Linux besides you? OpenSSL runs on everything.
  Not just that, but Microsoft is about to incorporate OpenSSH into Windows.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
21. Re: And I wish... by jmac_the_man · 2015-06-12 01:27 · Score: 1
  
  Which Open Source projects use any old web forum for bug tracking?
  Discourse is open source fourm software that self-hosts its bug tracker. And by "self-hosts," I mean they literally use a Discourse fourm to track bugs and cudgel fourm features into bugtracking features. For example, each bug is supposed to be the OP of a topic, and they prioritize bugs by counting the number of users that "like" the post describing the bug.
  It works about as well as you'd expect.
22. Re:And I wish... by Anonymous Coward · 2015-06-12 04:06 · Score: 0
  
  There's a difference between having the capacity for the moral depravity and incompetence needed to be a politician [...]
  You should stop calling them politicians. Politicians are managers of the everyday life in the city. There is no place for corruption and incompetence in this idea.
  Just like anarchy doesn't have anything to do with violence and disorder, communism with gulags, socialism with Hitler, laziness with the idea of 'sins', peace and calm with lacking and boring, ideal and perfection with tyranny and distopia, etc.
  These deformations are very negative, and greatly affect people and our society as a whole, including unconsciously.
23. Re: And I wish... by Anonymous Coward · 2015-06-12 07:31 · Score: 0
  
  What db?
24. Re: And I wish... by Demonoid-Penguin · 2015-06-12 12:54 · Score: 1
  
  It works about as well as you'd expect.
  Better than bitching on Slashdot? Noooooo
More like App Appday! by Anonymous Coward · 2015-06-11 11:07 · Score: 0, Interesting

OpenSSL would be more secure if it was an app instead of Luddite software, because only apps can app apps!
Apps!
Dox by Anonymous Coward · 2015-06-11 11:08 · Score: 0

Protip: at least 1/5 of the board members are nation state agents with a ragin hard on for breaking certificates
Predictable cadence? by mars-nl · 2015-06-11 11:11 · Score: 5, Insightful

What's the use of a predictable cadence for security updates? Security vulnerabilities are not found on a schedule. Personally I want my updates ASAP. You can update when you want (but sooner is better for everyone).
1. Re:Predictable cadence? by Anonymous Coward · 2015-06-11 11:21 · Score: 0
  
  Unfortunately in this world with change control, number of systems affected, testers that need to be lined up, business stakeholder notified of outage if any etc means that unless a security issue is out in the wild your are not going to deploy it. By having regular predictable releases you can organise regular pre-approved changes etc.
  Hans
2. Re: Predictable cadence? by Anonymous Coward · 2015-06-11 11:22 · Score: 0
  
  Totally.
  You do not the vendor to release a patch Tuesday.
  They should just ship as best they can, and you patch at whatever cadence works for you.
  Patch Tuesday is just a placebo for psychological issues
3. Re:Predictable cadence? by Anonymous Coward · 2015-06-11 11:25 · Score: 0
  
  Unfortunately in this world with change control, number of systems affected, testers that need to be lined up, business stakeholder notified of outage if any etc means that unless a security issue is out in the wild your are not going to deploy it. By having regular predictable releases you can organise regular pre-approved changes etc.
  Hans
  Update:
  Trust me business stake holders get very cranky when you want to foist a change on them at end of financial month say, just because you want to deploy a security patch with minimal actual benefit i.e. low level risk associated with not deploying.
  Hans Klarenbeek
4. Re: Predictable cadence? by Anonymous Coward · 2015-06-11 11:31 · Score: 0
  
  Well then, just leave your number with the help desk and we'll call you back.
5. Re:Predictable cadence? by JSG · 2015-06-11 11:32 · Score: 1
  
  "Security vulnerabilities are not found on a schedule."
  Agreed. Still, at least we get silly names for OpenSSL vulns rather than simply just CVEs and KB numbers with descriptions that usually say something like "A vulnerability in stuff can cause your cat to spontaneously combust on wednesdays when the full moon is in venus. You may have to reboot your computer after applying this update."
  Oh well, it's time to:
  $sudo apt-get update && sudo apt-get upgrade
  $sudo pacman -Syu
  #emerge -uva --deep --newuse --keep-going @world
  $sudo yum up
  The third one above is my patch tuesday, wednesday and probably thursday 8) My laptop is starting to cook my bollocks, compiling LibreOffice.
6. Re:Predictable cadence? by eyeareque · 2015-06-11 12:28 · Score: 2
  
  It helps companies plan for downtime and patching. Right now they give you a three day notice and this only tells you "something is coming in three days" and maybe the severity. If you can plan it out it makes for a smoother fix process.
7. Re:Predictable cadence? by Anonymous Coward · 2015-06-11 13:01 · Score: 0
  
  You shouldn't have to go full change control retard for security updates. Moving from version 1.0.2 to 1.0.2b will not require any special testing beyond "is the service up?" and won't require an outage in production as you stagger restarts. Most orgs will consider this kind of thing change low-risk and pre-approved.
8. Re: Predictable cadence? by Anonymous Coward · 2015-06-11 13:26 · Score: 0
  
  Version numbers are made up. Point releases and letters mean nothing in terms compatibility.
9. Re:Predictable cadence? by Dutch+Gun · 2015-06-11 13:33 · Score: 3, Insightful
  
  You're obviously patching your own machine, not thousands of other people's machines, for whom any patch carries the risk of breaking mission-critical software and potentially costing your company millions of dollars in lots productivity per day. A predictable cadence is extremely useful for non-zero-day exploits, and even zero-day exploits if the risk is deemed acceptable or can otherwise be mitigated temporarily. The whole notion of a once-a-month patch schedule is entirely for the benefit of corporate customers, to make it easier to test and deploy those patches on a regular schedule.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
10. Re:Predictable cadence? by Anonymous Coward · 2015-06-11 14:17 · Score: 0
  
  Stop pretending that you are maintaining thousands of machines because your complaints clearly show that you most likely are not.
  Your incapacity to handle patches on an irregular basis just points out how flawed your business practices are.
  And besides that, it is not an obligation to install a patch. You are allowed to evaluate the severity of it and decide to apply it at a more convenient time.
11. Re:Predictable cadence? by Dutch+Gun · 2015-06-11 14:32 · Score: 1
  
  Personally, I've got four machines to patch (two Windows, one Mac, one Linux), and didn't mean to imply otherwise. It's rather common knowledge that "patch Tuesday" was started by MS in order to make things more convenient for corporate customers, instead of releasing patches on an ad hoc schedule.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
12. Re:Predictable cadence? by myowntrueself · 2015-06-11 15:29 · Score: 4, Interesting
  
  You're obviously patching your own machine, not thousands of other people's machines, for whom any patch carries the risk of breaking mission-critical software and potentially costing your company millions of dollars in lots productivity per day.
  Not quite *any* patch.
  Debian has a good reputation for not changing anything in a security patch other than the security vulnerability itself. Ie if the version of the software in the distribution is, say 1.0 then patching security updates will never change the version to 2.0. The patched version has exactly the same behaviors as the version its updating minus the security vulnerabilities. If you were somehow taking advantage of those vulnerabilities then, well, thats your problem. Also if you are mixing 3rd party non-Debian packaged software in, you are on your own there too. But a pure Debian server should be able to be apt-get upgraded with no problems.
  (There was one time when the package maintainer of sudo _decided_ that the defaults for handling environment variables were 'unsecure' and changed them as a security update, which broke a lot of peoples shit. But that was a long time ago).
  
  --
  In the free world the media isn't government run; the government is media run.
13. Re:Predictable cadence? by Anonymous Coward · 2015-06-11 15:55 · Score: 0
  
  (There was one time when the package maintainer of sudo _decided_ that the defaults for handling environment variables were 'unsecure' and changed them as a security update, which broke a lot of peoples shit. But that was a long time ago).
  And another when OpenSSH (if I recall correctly) moved to version 2.x because of a major vulnerability. Still, it's extremely rare.
14. Re: Predictable cadence? by Anonymous Coward · 2015-06-11 16:46 · Score: 0
  
  That's entirely true, but it's entirely irrelevant to the point at hand. No matter what you call a minor fix it's still a minor fix.
15. Re:Predictable cadence? by thegarbz · 2015-06-11 17:13 · Score: 1
  
  Or they could release a patch and companies can install it 3 days later. I don't understand why you would want to hold the patch back? It was a retarded concept when MS introduced it, but even now you can control the distribution of windows updates in a controlled manner throughout an organisation so even that has run its course.
16. Re:Predictable cadence? by thegarbz · 2015-06-11 17:14 · Score: 1
  
  What stops you from patching your machine in your own time?
17. Re: Predictable cadence? by Anonymous Coward · 2015-06-11 17:48 · Score: 0
  
  What is downtime? Some Windows application? In Linux I only have uptime.
18. Re:Predictable cadence? by arglebargle_xiv · 2015-06-11 20:09 · Score: 1
  
  I think it's a sign that there's something seriously wrong when people are requesting a regular release cadence to fix all the security holes in the software that's supposed to be protecting them from security problems...
  ObXKCD.
19. Re:Predictable cadence? by Anonymous Coward · 2015-06-11 20:22 · Score: 0
  
  Uh, so the NSA has a week to switch vulnerabilities?
20. Re:Predictable cadence? by Demonoid-Penguin · 2015-06-11 20:30 · Score: 2
  
  Personally, I've got four machines to patch (two Windows, one Mac, one Linux), and didn't mean to imply otherwise. It's rather common knowledge that "patch Tuesday" was started by MS in order to make things more convenient for corporate customers, instead of releasing patches on an ad hoc schedule.
  As someone who deals with many of their corporate customers let me assure you it ain't convenient - we want the patches as soon as possible, and we'll deploy them as soon as we've tested them. Despite not knowing the personal motivations behind all the M$ executives who decided it's a monthly thing (and ignoring that I remember when it wasn't even monthly) I have a hard time believing they do because it's best for their corporate clients.
21. Re: Predictable cadence? by Anonymous Coward · 2015-06-12 00:30 · Score: 0
  
  As someone that works for a company that does distribute patches to thousands of machines, what I'll say is even planned patches break a lot of crap. I sit on the support side of this, so I know when things break after a patch. What you're doing by not releasing the patch immediately is you're not providing your corporate clients as much time as possible to work on testing the patch. If you have a fix today, but we have to wait until Tuesday to get the patch, we are still going to spend days testing before releasing the patch. So what could have been resolved by Tuesday now has to wait until Tuesday to even begin testing and deployment. It's nice to have general purpose releases coming at a specific time because you can decide if you even need the upgrade. But security issues need to be fixed 90% of the time. In the rare instance you don't need the update, you skip it. So predictable releases for security issues just doesn't make sense. Give it to me now. Our team will determine when it gets deployed.
22. Re:Predictable cadence? by Anonymous Coward · 2015-06-12 01:25 · Score: 0
  
  As someone who deals with many of their corporate customers let me assure you it ain't convenient - we want the patches as soon as possible, and we'll deploy them as soon as we've tested them. Despite not knowing the personal motivations behind all the M$ executives who decided it's a monthly thing (and ignoring that I remember when it wasn't even monthly) I have a hard time believing they do because it's best for their corporate clients.
  It's simple. Without the Patch Tuesday cycle... you'd be stuck in continuous testing since patches would be coming quicker than you can complete testing. By rolling a bunch of patches together, Microsoft provides enough time for corporate customers to complete a broad test and roll out the patches before the next patch cycle.
23. Re:Predictable cadence? by luis_a_espinal · 2015-06-12 01:41 · Score: 1
  
  Unfortunately in this world with change control, number of systems affected, testers that need to be lined up, business stakeholder notified of outage if any etc means that unless a security issue is out in the wild your are not going to deploy it. By having regular predictable releases you can organise regular pre-approved changes etc.
  Hans
  And how do you schedule predicable zero-day security patches, for instance?
24. Re:Predictable cadence? by luis_a_espinal · 2015-06-12 01:45 · Score: 1
  
  What stops you from patching your machine in your own time?
  Budgets, schedules, coordination with other 24/7 services that depend on it, etc, etc. If it is a single isolated system, then yeah, it's trivial. When we are talking about production and test environments with dozens (or even more) systems, then it is not just a matter of working "own your own time." This gets worse when there are systems that heavily utilize SSL.
  Any such upgrade requires some type of basic regression testing of said systems outside of the typical testing schedules associated to development. And that brings up pulling resources from somewhere else to do the testing.
  It is almost never our own time alone.
25. Re:Predictable cadence? by pscottdv · 2015-06-12 02:19 · Score: 1
  
  The point is, why should patches be held back from everyone else just so your organization has time to plan and test. Your organization can wait until it is ready to apply the patch while some other, more nimble, organization can apply it sooner. There is absolutely no reason for the patch to be held back to give you time to get your duck in a row.
  
  --
  this signature has been removed due to a DMCA takedown notice
26. Re:Predictable cadence? by LeadSongDog · 2015-06-12 04:21 · Score: 1
  
  ... My laptop is starting to cook my bollocks, compiling LibreOffice.
  Sure, it's called a "laptop" in the user manual, but that doesn't constitute a How-to now, does it?
  
  --
  Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
27. Re: Predictable cadence? by Anonymous Coward · 2015-06-12 04:49 · Score: 0
  
  Only when the developers involved are shitheads. Semantic Versioning is a Good Thing, and anybody who says it isn't is one of those shithead developers who has not a clue.
28. Re:Predictable cadence? by thegarbz · 2015-06-12 10:37 · Score: 1
  
  So telling you that the patch will come out on a Tuesday will alleviate your budget, schedule and co-ordination problems, but simply releasing the patch and letting you install it on a Tuesday doesn't?
  Why should I wait for my patch because you have a co-ordination issue?
29. Re:Predictable cadence? by Anonymous Coward · 2015-06-12 14:44 · Score: 0
  
  A predictable cadence is extremely useful for non-zero-day exploits, and even zero-day exploits if the risk is deemed acceptable or can otherwise be mitigated temporarily. The whole notion of a once-a-month patch schedule is entirely for the benefit of corporate customers, to make it easier to test and deploy those patches on a regular schedule.
  Corporations are great at coming up with Procrustean solutions for no other reason than their unhealthy obsession with command and control management. It is possible to manage those thousands of machines without a cadence. It just requires allocating your human capital at less than 100% and using them on demand, which no one does.
30. Re:Predictable cadence? by Dutch+Gun · 2015-06-12 15:28 · Score: 1
  
  Well, I can give you at least one reason:
  Assuming we're talking about non-zero-day exploits (stuff that white hats reported in confidence), part of the issue is that actually releasing a patch tells black hats a lot about how to create an exploit, and this applies to both open source and non-open source, but with slightly different methodologies. It's fairly easy for black hats to reverse engineer a patch to determine exactly how you can now exploit unpatched systems. So, the clock starts ticking the moment the patch is released, essentially. Hence "Patch Tuesday", and "Exploit Wednesday".
  If the patches are released as they're ready, then you're putting corporation IT departments into a near-continuous patch and test cycle. What happens if they're in the middle of some other project and a critical patch is issued? The monthly patch cycle gives them a bit of predictability so they can schedule products around this date.
  Naturally, this doesn't apply to zero-day exploits/patches, especially those which are widely known about. The monthly cycle obviously works against zero day issues in terms of response time, but there's always the option of a temporary workaround, or even an out-of-band patch for extremely serious issues - and that isn't unprecedented.
  
  --
  Irony: Agile development has too much intertia to be abandoned now.
31. Re:Predictable cadence? by Anonymous Coward · 2015-06-12 16:56 · Score: 0
  
  With form 142353-F filled out completely in triplicate, approved and notarized by six senior members of the board, given to the shareholders as early as possible so they can cover their asses, after you backup your e-mail and tech logs / notebooks, three months after you get hacked and all of your data gets lapped up by your competitors, the press, NSA, etc. and your customers have been affected because you didn't just install the fucking update.
32. Re:Predictable cadence? by rdnetto · 2015-06-15 02:54 · Score: 1
  
  Oh well, it's time to:
  $sudo apt-get update && sudo apt-get upgrade
  $sudo pacman -Syu
  #emerge -uva --deep --newuse --keep-going @world
  $sudo yum up
  The third one above is my patch tuesday, wednesday and probably thursday 8) My laptop is starting to cook my bollocks, compiling LibreOffice.
  I run Sabayon, you insensitive clod! :P
  
  --
  Most human behaviour can be explained in terms of identity.
I wish by Anonymous Coward · 2015-06-11 11:13 · Score: 0

Why would I want another 'Tuesday update'. Let's dream big! How about that they would come to my house and install the updates.
1. Re:I wish by viperidaenz · 2015-06-11 11:24 · Score: 1
  
  How about you pay them for the software and they may do something to benefit you more.
OpenSSL has been replaced... by unixisc · 2015-06-11 11:25 · Score: 1

...by LibreSSL in FreeBSD, in addition to in OpenBSD. Wonder how long is it before Linux, Windows and MacOS (both OS-X and iOS) follow?
1. Re:OpenSSL has been replaced... by Anonymous Coward · 2015-06-11 11:35 · Score: 0
  
  That is misleading. LibreSSL is a fork of OpenSSL from 2014. So it would have all the vulnerabilities that OpenSSL has, minus anything that LibreSSL fixes buy does not bother letting anyone know about.
  If you think that simply switching to LibreSSL will make you secure, you're gonna have a bad day.
2. Re:OpenSSL has been replaced... by yuhong · 2015-06-11 11:41 · Score: 1
  
  OS X and iOS already picked SecureTransport years ago, which had it's own problems BTW (though with 10.11 it is finally getting better).
3. Re:OpenSSL has been replaced... by Pow · 2015-06-11 11:49 · Score: 4, Informative
  
  LibreSSL patches today:
  Avoid an infinite loop that can occur when verifying a message with an unknown hash function OID.
  Diff based on OpenSSL.
  Fixes CVE-2015-1792 (however, this code is not enabled/built in LibreSSL).
  ok doug@ miod@
  Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing length checks.
  Diff based on changes in OpenSSL.
  Fixes CVE-2015-1789.
  ok doug@
  Avoid an infinite loop that can be triggered by parsing an ASN.1
  ECParameters structure that has a specially malformed binary polynomial field.
  Issue reported by Joseph Barr-Pixton and fix based on OpenSSL.
  Fixes CVE-2015-1788.
  ok doug@ miod@
4. Re:OpenSSL has been replaced... by Anonymous Coward · 2015-06-11 12:00 · Score: 1
  
  FreeBSD has not replaced OpenSSL with LibreSSL; OpenSSL is still used in the base system, while LibreSSL (like newer versions of OpenSSL, or WolfSSL, or anything else) are available via ports:
  stable/8: http://svnweb.freebsd.org/base/stable/8/crypto/openssl/?view=log
  stable/9: http://svnweb.freebsd.org/base/stable/9/crypto/openssl/?view=log
  stable/10: http://svnweb.freebsd.org/base/stable/10/crypto/openssl/?view=log
  head (FreeBSD 11.x): http://svnweb.freebsd.org/base/head/crypto/openssl/?view=log
  It sure looks like there's a lot of work to be done (API/ABI incompatibilities with ports) before LibreSSL could replace OpenSSL in the base system: https://wiki.freebsd.org/LibreSSL
5. Re:OpenSSL has been replaced... by Bengie · 2015-06-11 14:43 · Score: 2
  
  About 80% of the known OpenSSL bugs that have been fixed, were inadvertently fixed in LibreSSL during the refactoring. Many of OpenSSL's bugs are entirely do to horrible coding practices. Of the remaining 20%, a sizable portion were actually found by LibreSSL during the clean up.
6. Re:OpenSSL has been replaced... by WaffleMonster · 2015-06-11 16:14 · Score: 1
  
  About 80% of the known OpenSSL bugs that have been fixed, were inadvertently fixed in LibreSSL during the refactoring. Many of OpenSSL's bugs are entirely do to horrible coding practices. Of the remaining 20%, a sizable portion were actually found by LibreSSL during the clean up.
  You should immediately contact OpenSSL and have them correct attributions in the change log to reflect this reality.
7. Re:OpenSSL has been replaced... by Anonymous Coward · 2015-06-11 20:25 · Score: 0
  
  Did you miss the part where he said "in LibreSSL"?
  Do you know what a fork is?
  How the fuck do you even Slashdot?
8. Re:OpenSSL has been replaced... by serviscope_minor · 2015-06-11 22:58 · Score: 1
  
  It sure looks like there's a lot of work to be done (API/ABI incompatibilities with ports) before LibreSSL could replace OpenSSL in the base system
  I'm curious as to why: LibreSSL isn't a rewrite from scratch. I thought they were explicitly doing an audit and clean up, which means keepint the external interfaces the same. Or is it just a question of actually testing things to make sure nothing has broken for obscure reasons?
  
  --
  SJW n. One who posts facts.
9. Re:OpenSSL has been replaced... by unixisc · 2015-06-12 00:14 · Score: 1
  
  I thought that they were starting w/ the former, and continuing w/ the latter
10. Re:OpenSSL has been replaced... by jandrese · 2015-06-12 03:11 · Score: 1
  
  IIRC they did remove some of the more obscure APIs, but honestly most of those were research projects that were never used in real life, so they shouldn't break anything. The OpenBSD guys compile their own ports tree against LibreSSL and have only had a small handful of applications break I think.
  
  --
  
  I read the internet for the articles.
11. Re:OpenSSL has been replaced... by Anonymous Coward · 2015-06-12 03:49 · Score: 0
  
  All of them are from this OpenSSL release: http://openssl.org/news/secadv...
I like you by Anonymous Coward · 2015-06-11 12:22 · Score: 0

You and King Frosty are such cheerful trolls... just what we need here
Logjam / Diffie Hellman attacks by complete+loony · 2015-06-11 12:29 · Score: 4, Insightful

OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.
Good. But it doesn't go far enough. How about some kind of deprecation warning if DH is using any well known prime number?

--
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
1. Re:Logjam / Diffie Hellman attacks by luis_a_espinal · 2015-06-12 01:49 · Score: 1
  
  OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.
  Good. But it doesn't go far enough. How about some kind of deprecation warning if DH is using any well known prime number?
  What prime number that is known or effectively computable for DH is not well known? Maybe I'm missing something here.
2. Re:Logjam / Diffie Hellman attacks by complete+loony · 2015-06-12 02:21 · Score: 1
  
  In the logjam paper, they speculate that the NSA has the funds to run the first part of a number field sieve on a small number of 1024bit primes. So long as we keep using software implementations with these well known primes hard coded in their source code, HTTPS SSH & VPN connections may be vulnerable.
  Not putting all of our eggs in one basket reduces this risk considerably. In response to this threat, we should periodically publish and use a new set of primes that are appropriate for DH exchanges. Though I would be happier if it were possible to generate a new prime on the first boot of a server.
  Or we could swap to using a different method for producing session keys.
  
  --
  09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
OpenBSD by xdor · 2015-06-11 15:06 · Score: 1

So Did OpenBSD's much vaunted refactor of OpenSSL turn up this bug before the OpenSSL team found it?
1. Re:OpenBSD by Anonymous Coward · 2015-06-11 16:55 · Score: 0
  
  So Did OpenBSD's much vaunted refactor of OpenSSL turn up this bug before the OpenSSL team found it?
  this is the real question right here
2. Re:OpenBSD by styrotech · 2015-06-11 17:37 · Score: 1
  
  LibreSSL seems to have been immune to somewhere between half and two thirds of OpenSSL vulnerabilities recently. Not perfect, but a significant improvement.
  Early on this was mostly due to the amount of outdated crap they deleted (less attack surface area), but as time goes on more and more will hopefully be due to improving the code that was left behind.
  There's still a long way to go though.
3. Re:OpenBSD by weilawei · 2015-06-11 20:28 · Score: 2
  
  B..b..but... it's not perfect!!!
  Yeah, fuck the whiners. It's a huge step forward, and the whiners don't have the technical chops to know what's going on or why they should shut up and care--or just shut up and accept that something useful is being done and will likely benefit them in the future.
4. Re:OpenBSD by TCM · 2015-06-11 20:32 · Score: 2
  
  From http://www.openbsd.org/errata5... (emphasis mine)
  009: SECURITY FIX: June 11, 2015 All architectures
  Fix several defects from OpenSSL:
  CVE-2015-1788 - Malformed ECParameters causes infinite loop
  CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
  CVE-2015-1792 - CMS verify infinite loop with unknown hash function
  Note that CMS was already disabled in LibreSSL. Several other issues did not apply or were already fixed and one is under review.
  For more information, see the OpenSSL advisory.
  A source code patch exists which remedies this problem.
  
  --
  Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
mbed TLS by Aethedor · 2015-06-11 20:56 · Score: 1

I can advice every software developer to take a look at mbed TLS (former PolarSSL). It has everything a modern SSL-enabled application needs. It's API is easier that OpenSSL's, it has very good documentation (example programs included) and last but not least: it's secure!
No, I'm not the mbed TLS developer or in any way connected or related to mbed TLS. I'm just a very happy developer who replaced OpenSSL with mbed TLS in my project many years ago and never had any reason to look back. Even the users of my project are very happy with it. Good riddance!!

--
It doesn't have to be like this. All we need to do is make sure we keep talking.
Getting so sick of pre-announcements by Anonymous Coward · 2015-06-11 21:03 · Score: 0

Next we'll have pre-announcements for the pre-announcements. Yay for fluffy attention seeking with security problems.
with regards to meaningless slogans by luis_a_espinal · 2015-06-12 01:39 · Score: 1

There's a difference between having the capacity for the moral depravity and incompetence needed to be a politician
What a load of meaningless crock. I'm sure it makes up for one hell of a slogan. Meaningless, but certainly attention-grabbing for the purpose of rhetorical posturing. Congratulations.
1. Re:with regards to meaningless slogans by Demonoid-Penguin · 2015-06-12 12:48 · Score: 1
  
  There's a difference between having the capacity for the moral depravity and incompetence needed to be a politician
  I'm sure it makes up for one hell of a slogan.
  Touchy much?
More KoolAid? by Anonymous Coward · 2015-06-12 02:09 · Score: 0

It's rather common knowledge that "patch Tuesday" was started by MS in order to make things more convenient for corporate customers, instead of releasing patches on an ad hoc schedule.
You've bought Microsoft's line. The only corporate customer that benefited was Microsoft, who can now consolidate regression testing prior to release.
It doesn't matter to the end user(corporate customer) what day the patch comes out on. If the corporate customer cannot test and deploy every other day, they can set their own consolidated test and deploy dates.
What Microsoft did was leave customers exposed to known and exploited vulnerabilities for up to a month. Fortunately, they've realized that this isn't tenable and in fact release critical fixes throughout the month, with the big dump occurring on the second Tuesday.