Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Security Advisory Announced

Posted by samzenpus on from the protect-ya-neck dept.

New submitter eyeareque writes: It's time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Personally I wish that OpenSSL released these in a predictable cadence. Patch Tuesday maybe?

4 of 95 comments (clear)

  1. More like App Appday! by Anonymous Coward · · Score: 0, Interesting

    OpenSSL would be more secure if it was an app instead of Luddite software, because only apps can app apps!

    Apps!

  2. Re:And I wish... by Ziest · · Score: 2, Interesting

    Your are invited to submit your patches to fix the problems you have found in OpenSSL

    --
    Another day closer to redwood heaven
  3. Re:And I wish... by ToasterMonkey · · Score: 4, Interesting

    Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware??? Why doesn't Mickey$oft fix most of these??? They simply refuse!!!

    I will take Linux, Open Source and Free Software any day of the week, and will deal with any flaws that come up. They are usually corrected quite quickly, and in this case, I am sure they spent a lot of time testing to inure all is fixed.

    I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.

    Who, the hell, said anything about Windows OR Linux besides you? OpenSSL runs on everything.
    Do you really think we shouldn't hold OpenSSL, or any open source software to a higher standard, "because Microsoft"?

    . ... are your parents OK with you using the Internet all by yourself?

  4. Re:Predictable cadence? by myowntrueself · · Score: 4, Interesting

    You're obviously patching your own machine, not thousands of other people's machines, for whom any patch carries the risk of breaking mission-critical software and potentially costing your company millions of dollars in lots productivity per day.

    Not quite *any* patch.

    Debian has a good reputation for not changing anything in a security patch other than the security vulnerability itself. Ie if the version of the software in the distribution is, say 1.0 then patching security updates will never change the version to 2.0. The patched version has exactly the same behaviors as the version its updating minus the security vulnerabilities. If you were somehow taking advantage of those vulnerabilities then, well, thats your problem. Also if you are mixing 3rd party non-Debian packaged software in, you are on your own there too. But a pure Debian server should be able to be apt-get upgraded with no problems.

    (There was one time when the package maintainer of sudo _decided_ that the defaults for handling environment variables were 'unsecure' and changed them as a security update, which broke a lot of peoples shit. But that was a long time ago).

    --
    In the free world the media isn't government run; the government is media run.