Slashdot Mirror

← Back to Stories (view on slashdot.org)

New OpenSSL Security Advisory Announced

Posted by samzenpus on from the protect-ya-neck dept.

New submitter eyeareque writes: It's time to patch OpenSSL again. The OpenSSL project has patched several moderate- and low-severity security vulnerabilities and also has added protection against the Logjam attack in new releases of the software. Personally I wish that OpenSSL released these in a predictable cadence. Patch Tuesday maybe?

6 of 95 comments (clear)

  1. Predictable cadence? by mars-nl · · Score: 5, Insightful

    What's the use of a predictable cadence for security updates? Security vulnerabilities are not found on a schedule. Personally I want my updates ASAP. You can update when you want (but sooner is better for everyone).

    1. Re:Predictable cadence? by myowntrueself · · Score: 4, Interesting

      You're obviously patching your own machine, not thousands of other people's machines, for whom any patch carries the risk of breaking mission-critical software and potentially costing your company millions of dollars in lots productivity per day.

      Not quite *any* patch.

      Debian has a good reputation for not changing anything in a security patch other than the security vulnerability itself. Ie if the version of the software in the distribution is, say 1.0 then patching security updates will never change the version to 2.0. The patched version has exactly the same behaviors as the version its updating minus the security vulnerabilities. If you were somehow taking advantage of those vulnerabilities then, well, thats your problem. Also if you are mixing 3rd party non-Debian packaged software in, you are on your own there too. But a pure Debian server should be able to be apt-get upgraded with no problems.

      (There was one time when the package maintainer of sudo _decided_ that the defaults for handling environment variables were 'unsecure' and changed them as a security update, which broke a lot of peoples shit. But that was a long time ago).

      --
      In the free world the media isn't government run; the government is media run.
  2. Re:OpenSSL has been replaced... by Pow · · Score: 4, Informative

    LibreSSL patches today:

    Avoid an infinite loop that can occur when verifying a message with an unknown hash function OID.
    Diff based on OpenSSL.
    Fixes CVE-2015-1792 (however, this code is not enabled/built in LibreSSL).
    ok doug@ miod@

    Avoid a potential out-of-bounds read in X509_cmp_time(), due to missing length checks.
    Diff based on changes in OpenSSL.
    Fixes CVE-2015-1789.
    ok doug@

    Avoid an infinite loop that can be triggered by parsing an ASN.1
    ECParameters structure that has a specially malformed binary polynomial field.
    Issue reported by Joseph Barr-Pixton and fix based on OpenSSL.
    Fixes CVE-2015-1788.
    ok doug@ miod@

  3. Logjam / Diffie Hellman attacks by complete+loony · · Score: 4, Insightful

    OpenSSL has added protection for TLS clients by rejecting handshakes with DH parameters shorter than 768 bits. This limit will be increased to 1024 bits in a future release.

    Good. But it doesn't go far enough. How about some kind of deprecation warning if DH is using any well known prime number?

    --
    09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  4. Re:And I wish... by ToasterMonkey · · Score: 4, Interesting

    Would you like to discuss all the vulnerabilities in Windows various versions, that has led to MILLIONS of different Malware??? Why doesn't Mickey$oft fix most of these??? They simply refuse!!!

    I will take Linux, Open Source and Free Software any day of the week, and will deal with any flaws that come up. They are usually corrected quite quickly, and in this case, I am sure they spent a lot of time testing to inure all is fixed.

    I sleep very well at night using Linux, and NOT using Windows software as much as humanly possible.

    Who, the hell, said anything about Windows OR Linux besides you? OpenSSL runs on everything.
    Do you really think we shouldn't hold OpenSSL, or any open source software to a higher standard, "because Microsoft"?

    . ... are your parents OK with you using the Internet all by yourself?

  5. Re:And I wish... by Bengie · · Score: 4, Insightful

    I bet you don't like some things the government does. You are invited to run for Senate or President. Because obviously if you don't, you should just shut up and gtfo.

    Complaining about open source software is like voting, you're letting your voice be heard but letting the other run the show. Submitting patches is like being a politician, you're the only actually doing the work.