Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Severe Bug' To Be Patched In OpenSSL

Posted by timothy on from the best-kind dept.

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

2 of 69 comments (clear)

  1. boring boring boring booooooooooring by Anonymous Coward · · Score: 2, Insightful

    So tired of these pre-announcements. What's next, pre-pre-announcements? Just publish already, doofuses.

  2. Re:No more! by Anonymous Coward · · Score: 2, Insightful

    How about this: mbed TLS is under either a pay-for commercial license or the GPL, none of which are suitable to everyone's need, as opposed to Open/LibreSSL BSD or BSD-like licenses.

    Granted they have a disclaimer at the end about "FOSS License Exception" that makes it *seem* like you can at least use it with most FOSS. But for proprietary software, nothing beats BSD, Apache and the likes.

    This being said, thanks, I'll take a look at it next time I need a TLS library for an open source project.