OpenSSL Security Update Less Critical Than Expected, Still Recommended 64
An anonymous reader writes As announced on Monday, the OpenSSL project team has released new versions of the cryptographic library that fix a number of security issues. The announcement created a panic within the security community, who were dreading the discovery of another Heartbleed-type bug, but as it turns out, the high severity issue fixed is a bug than can be exploited in a DoS attack against servers. Other issues fixed are mostly memory corruption and DoS flaws of moderate and low severity.
Re: (Score:1)
Re: Open sores, lol (Score:2, Funny)
He runs systemd, the premiere open source OS.
Re: (Score:3, Insightful)
Another day, another security hole in open sores software.
No, I don't use Micro$hit software either.
Are you kidding me? There's holes in open source software, there's holes in closed source software, there's holes in every piece of software. What else is new? There's no need to degenerate to terms like "Micro$hit" or "open sores". It doesn't make you sound witty, it makes you sound like someone 16 years of age, and it's embarrassing to see this on a site that is supposedly for adults. The sooner all this pathetic name calling stops, the sooner we can actually discuss the core issue at hand. Assuming, of c
Re: (Score:1)
But it did make you butthurt enough to respond to me. :-)
Let's be very clear on something here: I honestly don't give one damn about you. The reason why I responded is that I hoped to warn you how stupid you sound when you say that, so that you won't be ridiculed for talking like a first grader. But if that's how you feel about it, if you really think anyone except that other AC gives one flying fuck's worth, go ahead. Make a fool of yourself.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
And another one in closed source? Your point?
Name one library package that is used as much as openssl that is closed source.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
I'm guessing Fedora will have it in about 5-10 days, during which time about three 100MB Libre Office updates will already have been posted to their mirrors.
Just another reminder to use LibreSSL (Score:5, Informative)
For those unaware, the OpenBSD team forked OpenSSL a while back and started a huge cleanup of ugly existing codebase. Their project is named LibreSSL, and is available here: https://github.com/libressl-portable/portable
So how did they do?
CVEs that don't effect LibreSSL:
OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291) - Severity: High
Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204) - Severity: High
Base64 decode (CVE-2015-0292) - Severity: Moderate
Multiblock corrupted pointer (CVE-2015-0290) - Severity: Moderate
Segmentation fault in DTLSv1_listen (CVE-2015-0207) - Severity: Moderate
Segmentation fault for invalid PSS parameters (CVE-2015-0208) - Severity: Moderate
DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate
Empty CKE with client auth and DHE (CVE-2015-1787) - Severity: Moderate
Handshake with unseeded PRNG (CVE-2015-0285) - Severity: Low
CVEs that effect LibreSSL:
Segmentation fault in ASN1_TYPE_cmp (CVE-2015-0286) - Severity: Moderate
ASN.1 structure reuse memory corruption (CVE-2015-0287) - Severity: Moderate
PKCS7 NULL pointer dereferences (CVE-2015-0289) - Severity: Moderate
Use After Free following d2i_ECPrivatekey error (CVE-2015-0209) - Severity: Low
X509_to_X509_REQ NULL pointer deref (CVE-2015-0288) - Severity: Low
So LibreSSL had already avoided 9 of these issues as a result of their code cleanup. This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.
Sources:
https://marc.info/?l=openbsd-announce&m=142677546015662
https://www.reddit.com/r/openbsd/comments/2zl6y4/no_highseverity_issues_from_openssl_were_present/
Re: (Score:3)
Yup, I have the feeling that LibreSSL is going to replace OpenSSL like OpenSSH replaced SSH as ''the'' standard.
The fact that both LibreSSL and OpenSSH are OpenBSD project is not a coincidence...
More details on Undeadly [undeadly.org].
Re: (Score:3)
Maybe
With ssh the original project had moved to a propietary license so linux distros that only accepted free software had to go with a fork or stick with a very outdated version. With openssl the original project is still alive. So the developers of linux distros will have to have a big argument over whether the reduced security exposure outweighs the reduced feature set.
Re: (Score:2)
Theres also a thorny license issue, some projects released under the GPL make a exception for openssl and it's not always clear whether that would apply to forks of openssl.
Re: (Score:2)
AFAIK, OpenSSL is Apache Licensed and LibreSSL is, well... BSD-Licensed.
If you accept an Apache-style license, I really don't see why LibreSSL's BSD is a problem.
You had a better argument when it came to the fact that OpenSSL is still active. Or, at least, that there is activity in the project, including some projects to audit the whole thing.
Re:Just another reminder to use LibreSSL (Score:4, Informative)
No, OpenSSL is not Apache licensed. It has its own license, similar to BSD-with-attribution license. And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.
It's also why Red Hat started work to standardize on Mozilla's NSS as the one true SSL library. However, I'm not sure what the status of that project is.
Re: (Score:2)
And the thorny issue is that this license is not compatible with the GPL. That's why projects have to modify the GPL to make a specific exception for it.
Exactly and in most cases the exception says "openssl". Does a slightly patched version from a distro still count as "openssl"? Does a forked and renamed version with substantial changes still count as "openssl"?
Re: (Score:2)
Re: (Score:2)
So LibreSSL had already avoided 9 of these issues as a result of their code cleanup.
5 of them at least a result of forking before relevant code/feature existed.
CVE-2015-0208, CVE-2015-0207, CVE-2015-0290, CVE-2015-0285 and CVE-2015-0291
This includes all CVEs labelled as high severity. This is just another reminder to use LibreSSL.
I think having other forks and more people working a project is ultimately great for everyone. The tit-for-tat elitism and misleading hyperbole is not productive.
Re: (Score:2)
The libressl fork was 11 months ago. They managed to add 5 (at a minimum) critical vulnerabilities in the past 11 months? Jeezus fucking christ.
When you're in a hole, stop digging.
Re: (Score:2)
The libressl fork was 11 months ago. They managed to add 5 (at a minimum) critical vulnerabilities in the past 11 months?
Probably a *lot* more than that. These are only bugs having been caught thus far.
Jeezus fucking christ.
OpenSSL is currently offering and maintaining four separate release trains for download from the bleeding edge to ancient versions lacking TLS 1.1/1.2 support.
Hard to get excited about DOS/crash shit limited to a new immature branch only a dufus would select for production use... or in other words ...OMFG the sky is falling..
Re: (Score:2)
That is not such a big difference, considering most installations are still using OpenSSL (more eyes...).
LibreSSL is still valued for their efforts, but they and most of the IT community waited until a major crisis occurred before taking action. Now that OpenSSL has been in the spotlight and finally received decent funding to do their own reviews and cleanup, I'm not sure where that leaves LibreSSL.
Re: (Score:1)
This is not a fair comparison.
LibreSSL forked OpenSSL 1.0.1. Therefore LibreSSL would never have been vulnerable to issues that did not affect 1.0.1 - since those arose after the codebases split. A fairer comparison would be to compare issues that affected OpenSSL 1.0.1 with LibreSSL. You also should not include CVE-2015-0204 since that is just a reclassification of a previously fixed defect. Simillarly CVE-2015-0292 was a historic issue not in recent versions of OpenSSL so also should not be included. By t