Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Severe Bug' To Be Patched In OpenSSL

Posted by timothy on from the best-kind dept.

An anonymous reader writes: The Register reports that upcoming OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. It is not yet known what this mysterious vulnerability is — that would give the game away to attackers hoping to exploit the hole before the patch is released to the public. Some OpenSSL's examples of "high severity" vulnerabilities are a server denial-of-service, a significant leak of server memory, and remote code execution. If you are a system administrator, get ready to patch your systems this week. The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

6 of 69 comments (clear)

  1. thanks Hacked Team! by SethJohnson · · Score: 4, Funny

    Your audit of OpenSSL has already contributed back to the Open Source community, whether voluntary or not.

    --
    $5 / month hosted VPS on linux = awesome!
  2. Security! by ArcadeMan · · Score: 5, Funny

    Always keep your software up-to-date for security reasons!

    OpenSSL versions 1.0.2d and 1.0.1p are claimed to fix a single security defect classified as "high" severity. [...] The defect does not affect the 1.0.0 or 0.9.8 versions of the library.

    Unless of course the up-to-date versions are less secure than the old versions...

    --
    Get free satoshi (Bitcoin) and Dogecoins
  3. Re:boring boring boring booooooooooring by Anonymous Coward · · Score: 5, Funny

    It gives some extra time to make up a catchy name for the vulnerability and print some t-shirts.

  4. Monoculture... by Bugler412 · · Score: 4, Interesting

    Remember when everyone thought Windows was the biggest monoculture? Not on the web server side of the business....

  5. No more! by Aethedor · · Score: 4, Interesting

    Every software developer, please stop using OpenSSL. It was crap then, it is crap now and it will be crap tomorrow. And LibreSSL is not the solution. You can't turn crap into something nice. You want a decent SSL library, try mbed TLS. Unlike OpenSSL, this library has good documentation (example programs included), has a logical and sane API (no ugly callback shit) and its code is clean and secure.

    I switched from OpenSSL to mbed TLS (named PolarSSL back then) in my open source project some time ago. I should have done it more early! The migration was easy and only cost me a few days. So, stop punishing yourself and give mbed TLS a try. You won't regret it!!

    Disclaimer:
    No, I'm in no way connected to mbed TLS. Just a happy mbed TLS user who doesn't understand why people keep on torturing themselves and their users.

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
    1. Re:No more! by Anonymous Coward · · Score: 4, Informative

      GPLv2 (not LGPL) will be a big showstopper for some projects.