Slashdot Mirror
New OpenSSL Security Advisory Announced
New submitter eyeareque writes: It's time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Personally I wish that OpenSSL released these in a predictable cadence. Patch Tuesday maybe?
What's the use of a predictable cadence for security updates? Security vulnerabilities are not found on a schedule. Personally I want my updates ASAP. You can update when you want (but sooner is better for everyone).
LibreSSL patches today:
Avoid an infinite loop that can occur when verifying a message with an unknown hash function OID.
Diff based on OpenSSL.
Fixes CVE-2015-1792 (however, this code is not enabled/built in LibreSSL).
ok doug@ miod@
Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing length checks.
Diff based on changes in OpenSSL.
Fixes CVE-2015-1789.
ok doug@
Avoid an infinite loop that can be triggered by parsing an ASN.1
ECParameters structure that has a specially malformed binary polynomial field.
Issue reported by Joseph Barr-Pixton and fix based on OpenSSL.
Fixes CVE-2015-1788.
ok doug@ miod@
Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware???
No, I dont use Windows so those dont affect me. The problems with OpenSSL affect me. Also since this a story about the vulnerabilities in OpenSSL why would we change the topic to Windows?
I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.
Good for you but this is nothing to do with Linux or Windows, this is about OpenSSL (or do you think OpenSSL is a Linux thing?).
Your are invited to submit your patches to fix the problems you have found in OpenSSL
Another day closer to redwood heaven
OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.
Good. But it doesn't go far enough. How about some kind of deprecation warning if DH is using any well known prime number?
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
LibreSSL for drop-in compatibility? Or gnutls?
Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware??? Why doesn't Mickey$oft fix most of these??? They simply refuse!!!
I will take Linux, Open Source and Free Software any day of the week, and will deal with any flaws that come up. They are usually corrected quite quickly, and in this case, I am sure they spent a lot of time testing to inure all is fixed.
I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.
Who, the hell, said anything about Windows OR Linux besides you? OpenSSL runs on everything.
Do you really think we shouldn't hold OpenSSL, or any open source software to a higher standard, "because Microsoft"?
. ... are your parents OK with you using the Internet all by yourself?
I bet you don't like some things the government does. You are invited to run for Senate or President. Because obviously if you don't, you should just shut up and gtfo.
Complaining about open source software is like voting, you're letting your voice be heard but letting the other run the show. Submitting patches is like being a politician, you're the only actually doing the work.
About 80% of the known OpenSSL bugs that have been fixed, were inadvertently fixed in LibreSSL during the refactoring. Many of OpenSSL's bugs are entirely do to horrible coding practices. Of the remaining 20%, a sizable portion were actually found by LibreSSL during the clean up.
Can one miss a point that isn't there?
Dear butt-weasel,
People can point out issues even if they are not capable of providing fixes for them.
They can. Indeed they can. Only the other day I saw a bloke in a dressing gown giving similar suggestions to emergency workers fixing power lines. No doubt they appreciated the insights he offered.Just because a particular field of endeavor requires practitioners years of study and experience shouldn't prohibit the intuitively enhanced from giving directions. I bet the computer repair shop appreciate your directions on how to fix problems - that you don't know how to fix.
Not everyone is a coder, you elitist asshat.
Forgive me for not recognising the insurmountable barriers that have prevented you from ever learning to program. I now appreciate that not everyone is an uninformed arse-clown, we all have our crosses to bear. Carry on.
B..b..but... it's not perfect!!!
Yeah, fuck the whiners. It's a huge step forward, and the whiners don't have the technical chops to know what's going on or why they should shut up and care--or just shut up and accept that something useful is being done and will likely benefit them in the future.
From http://www.openbsd.org/errata5... (emphasis mine)
009: SECURITY FIX: June 11, 2015 All architectures
Fix several defects from OpenSSL:
CVE-2015-1788 - Malformed ECParameters causes infinite loop
CVE-2015-1789 - Exploitable out-of-bounds read in X509_cmp_time
CVE-2015-1792 - CMS verify infinite loop with unknown hash function
Note that CMS was already disabled in LibreSSL. Several other issues did not apply or were already fixed and one is under review.
For more information, see the OpenSSL advisory.
A source code patch exists which remedies this problem.
Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
Who, the hell, said anything about Windows OR Linux besides you? OpenSSL runs on everything.
Not just that, but Microsoft is about to incorporate OpenSSH into Windows.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"