Slashdot Mirror

← Back to Stories (view on slashdot.org)

Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs (arstechnica.com)

Posted by msmash on from the oh-openssl dept.

An anonymous reader cites a story on Ars Technica: Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers. The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h. The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly.

15 of 61 comments (clear)

  1. Purged, so it's no longer aged and bloated by jfdavis668 · · Score: 2

    That's a relief.

  2. Don't hold back by halivar · · Score: 3, Insightful

    Tell us how you really feel about OpenSSL.

  3. i've fallen and everyone's just laughing by Pseudonymous+Powers · · Score: 2

    Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs

    The way that headline is phrased makes me want to call the Elder Abuse Hotline.

    1. Re:i've fallen and everyone's just laughing by 93+Escort+Wagon · · Score: 2

      When did OpenSSL stop beating its wife?

      --
      #DeleteChrome
  4. Truly open by Aethedor · · Score: 4, Funny

    Well, at least they've chosen the right name. It's truly open...

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
  5. Re:Simple question by jandrese · · Score: 4, Informative

    A few reasons.
    1. LibreSSL has no FIPS mode. FIPS mode is kind of dumb, but it is required in some environments.
    2. LibreSSL was effectively OpenBSD only for some time. The compatibility shims have been written for other oses now I think, but it hasn't been available for as long as you think.
    3. Swapping SSL libraries is a major change, beyond what is appropriate for a point release. Conservative distros 9LTS type distros especially) will be using OpenSSL for years to come because it's too big of a change to attempt outside of a major version bump.

    --

    I read the internet for the articles.
  6. Re:Simple question by phayes · · Score: 5, Informative

    Add to those reasons the knowledge that the "better alternative" had the same undiscovered bugs and that OpenSSL found them first.

    --
    Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  7. Re:Simple question by Rakshasa+Taisab · · Score: 2

    They say FIPS and a secure, cleanly coded ssl library can't work, so who cares about some government-mandated 'standard'.

    LibreSSL has been multi-platform for a year or so now, what are you smoking?

    Switching to LibreSSL is no more than a binary (or source) package change as it has the same ABI/API as OpenSSL except for the retarded bits.

    --
    - These characters were randomly selected.
  8. What a coincidence by WaffleMonster · · Score: 2

    "We have released LibreSSL 2.3.4, which will be arriving in the
    LibreSSL directory of your local OpenBSD mirror soon.

    This release is based on the stable OpenBSD 5.9 branch.

                    * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
                From OpenSSL."

  9. Re:Simple question by WaffleMonster · · Score: 3, Insightful

    Why is OpenSSL still being used? LibreSSL is a better alternative that was forked from OpenSSL a couple of years ago. Why is OpenSSL still around?

    Why are the majority of bug fixes flowing from OpenSSL to LibreSSL and not the other way around?

  10. Re:Simple question by zyche · · Score: 3, Informative

    While that is true to some extent, decisions taken by the LibreSSL team has
    prevented a lot of vulnerabilities.

    Notably, none of the vulnerabilities found in OpenSSL and rated "High" were applicable to LibreSSL.

  11. Re:Simple question by Junta · · Score: 3, Interesting

    The point is the flamebait title is disingenuous, as it wants to paint a picture that OpenSSL is stupid, and the heir apparent for those with that mindset is LibreSSL. Meanwhile, this specific scenario they want to hold up as evidence.... well it's no better than LibreSSL for these. Maybe the argument can be made in other ways, but here it's just bad form.

    --
    XML is like violence. If it doesn't solve the problem, use more.
  12. The value of Open Source. by DerekLyons · · Score: 2

    "the bug was introduced in the 2013 patch"

    Yep. With Open Source, there's a lot of eyes on code and this kinda stuff doesn't happen like it does with proprietary code.

  13. Re:Simple question by Antique+Geekmeister · · Score: 2

    > LibreSSL has avoided many CVE by getting rid of dangerous and bloated code

    And discarded compatibility with many, if not most, of the platforms that OpenSSL supports.

  14. Re:LibreSSL by Antique+Geekmeister · · Score: 2

    >> Why are the majority of bug fixes flowing from OpenSSL to LibreSSL and not the other way around?

    > Because there have hardly been any fixes in LibreSSL needed in the first place?

    Because the original LibreSSL was not to add features. It was to discard unnecessary code from the forked version of OpenSSL. Shrinking a large project by 25%, as LibraSSL seems to have done successfully, can easily solve quite a few problems, especially the complex cross-platform components. But it doesn't automatically fix _any_ of the original problems in the shared codebase.