Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Severe Bug' To Be Patched In OpenSSL

Posted by timothy on from the best-kind dept.

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

11 of 69 comments (clear)

  1. thanks Hacked Team! by SethJohnson · · Score: 4, Funny

    Your audit of OpenSSL has already contributed back to the Open Source community, whether voluntary or not.

    --
    $5 / month hosted VPS on linux = awesome!
  2. Security! by ArcadeMan · · Score: 5, Funny

    Always keep your software up-to-date for security reasons!

    OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. [...] The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

    Unless of course the up-to-date versions are less secure than the old versions...

    --
    Get free satoshi (Bitcoin) and Dogecoins
  3. boring boring boring booooooooooring by Anonymous Coward · · Score: 2, Insightful

    So tired of these pre-announcements. What's next, pre-pre-announcements? Just publish already, doofuses.

    1. Re:boring boring boring booooooooooring by Anonymous Coward · · Score: 5, Funny

      It gives some extra time to make up a catchy name for the vulnerability and print some t-shirts.

  4. Monoculture... by Bugler412 · · Score: 4, Interesting

    Remember when everyone thought Windows was the biggest monoculture? Not on the web server side of the business....

  5. Do what Amazon did... by Karmashock · · Score: 3, Interesting

    Offer up a version of the the package that is small enough to be audited in detail so that there are very very very few bugs with it.

    I think they said they had it down to 6k? So do that. Obviously that strips out a lot of features people like. So decide what is more important to you.

    security or covering your car with stickers and truck nuts.

    good security has to be simple. you get complicated and you get something that can't be fully understood well enough to debug.

    --
    I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
  6. No more! by Aethedor · · Score: 4, Interesting

    Every software developer, please stop using OpenSSL. It was crap then, it is crap now and it will be crap tomorrow. And LibreSSL is not the solution. You can't turn crap into something nice. You want a decent SSL library, try mbed TLS. Unlike OpenSSL, this library has good documentation (example programs included), has a logical and sane API (no ugly callback shit) and its code is clean and secure.

    I switched from OpenSSL to mbed TLS (named PolarSSL back then) in my open source project some time ago. I should have done it more early! The migration was easy and only cost me a few days. So, stop punishing yourself and give mbed TLS a try. You won't regret it!!

    Disclaimer:
    No, I'm in no way connected to mbed TLS. Just a happy mbed TLS user who doesn't understand why people keep on torturing themselves and their users.

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
    1. Re:No more! by Anonymous Coward · · Score: 4, Informative

      GPLv2 (not LGPL) will be a big showstopper for some projects.

    2. Re:No more! by Anonymous Coward · · Score: 2, Insightful

      How about this: mbed TLS is under either a pay-for commercial license or the GPL, none of which are suitable to everyone's need, as opposed to Open/LibreSSL BSD or BSD-like licenses.

      Granted they have a disclaimer at the end about "FOSS License Exception" that makes it *seem* like you can at least use it with most FOSS. But for proprietary software, nothing beats BSD, Apache and the likes.

      This being said, thanks, I'll take a look at it next time I need a TLS library for an open source project.

    3. Re:No more! by phantomfive · · Score: 2

      Eventually. In the June 11th OpenSSL bug fix, LibreSSL was found to be vulnerable to 3 out 7 of the same vulnerabilities. Source. LibreSSL is better, but still has a lot of weaknesses.

      --
      "First they came for the slanderers and i said nothing."
  7. Re:Use the diffs by Anonymous Coward · · Score: 3, Interesting

    Well lets assume it's the PSK allowing the buffer overflow

    We can see the fix here, so lets look at the code they are replacing.. specifically:

    - s->ctx->psk_identity_hint = BUF_strdup(tmp_id_hint);
    - if (s->ctx->psk_identity_hint == NULL) {
    + s->session->psk_identity_hint = BUF_strndup((char *)p, i);
    + if (s->session->psk_identity_hint == NULL) {

    Looks like they went from strdup() to strndup(). Lets look when strdup() was introduced


      git grep "BUF_strdup(" $(git rev-list --all) | grep s3_clnt |awk -F':' '{print $1}' | uniq

    returns ddac197404f585b8da58df794fc3beb9d08e8cd2

    add initial support for RFC 4279 PSK SSL ciphersuites

    PR: 1191
    Submitted by: Mika Kousa and Pasi Eronen of Nokia Corporation
    Reviewed by: Nils Larsch

            OpenSSL_0_9_8k

    Nils Larsch authored on Mar 10, 2006

    Since this was added in 2006 and 0.9.8 is not vulnerable it is possible this is not the urgent vulnerability. But similar analysis can be done against the 1.0.2 branch and then looking back at the history of commits as I showed here. Good luck.

    -dk