Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Security Advisory Announced

Posted by samzenpus on from the protect-ya-neck dept.

New submitter eyeareque writes: It's time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Personally I wish that OpenSSL released these in a predictable cadence. Patch Tuesday maybe?

5 of 95 comments (clear)

  1. Predictable cadence? by mars-nl · · Score: 5, Insightful

    What's the use of a predictable cadence for security updates? Security vulnerabilities are not found on a schedule. Personally I want my updates ASAP. You can update when you want (but sooner is better for everyone).

    1. Re:Predictable cadence? by Dutch+Gun · · Score: 3, Insightful

      You're obviously patching your own machine, not thousands of other people's machines, for whom any patch carries the risk of breaking mission-critical software and potentially costing your company millions of dollars in lots productivity per day. A predictable cadence is extremely useful for non-zero-day exploits, and even zero-day exploits if the risk is deemed acceptable or can otherwise be mitigated temporarily. The whole notion of a once-a-month patch schedule is entirely for the benefit of corporate customers, to make it easier to test and deploy those patches on a regular schedule.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  2. Re:And I wish... by Anonymous Coward · · Score: 2, Insightful

    Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware???

    No, I dont use Windows so those dont affect me. The problems with OpenSSL affect me. Also since this a story about the vulnerabilities in OpenSSL why would we change the topic to Windows?

    I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.

    Good for you but this is nothing to do with Linux or Windows, this is about OpenSSL (or do you think OpenSSL is a Linux thing?).

  3. Logjam / Diffie Hellman attacks by complete+loony · · Score: 4, Insightful

    OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.

    Good. But it doesn't go far enough. How about some kind of deprecation warning if DH is using any well known prime number?

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  4. Re:And I wish... by Bengie · · Score: 4, Insightful

    I bet you don't like some things the government does. You are invited to run for Senate or President. Because obviously if you don't, you should just shut up and gtfo.

    Complaining about open source software is like voting, you're letting your voice be heard but letting the other run the show. Submitting patches is like being a politician, you're the only actually doing the work.