Multiple Vulnerabilities in OpenSSL 274
gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."
Actual Threat? (Score:2, Interesting)
Re:Actual Threat? (Score:2, Interesting)
Re:Actual Threat? (Score:1, Interesting)
Re:Actual Threat? (Score:2, Interesting)
Re:Non-Exploitable Security DOS Exploit (Score:5, Interesting)
For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it? It also glosses over insignificant little details, such as:
Dumb questions I'm sure, but the answers have never been revealed in a form I can understand.
Schwab
Re:Yawn (Score:5, Interesting)
Sure, it's entirely possible to write perfect C code with no mistakes, and it's possible to not validate input on Java code and make plenty of mistakes. You gave a great example: SQL injection attacks. Java has some great defenses against that: Use java.sql.PreparedStatement instead of java.sql.Statement. Even better, use something like JDO to give an abstracted OO view of the data.
Here's where C breaks down: The human mind doesn't think in the right way to use C safely. We can't change the human mind (yet), but we can change which language we use. Humans just don't spot out-of-range errors, for example, but out-of -range errors are all trapped in Java and also because Java collections know their size (unlike C arrays/pointers) out-of-range errors are much more obvious.
Also, saying that "if you validate your input you can run it at any priv level you want" is just the wrong way to think about this. Mistakes will happen in any sufficiently large system (ie, any system that is large enough to be useful today). The only reasonable thing to do is to contain those mistakes, which means isolate processes and functions.
Or you can keep on repeating "nothing bad would ever happen if we didn't make any mistakes!" I guess if that's what you think, I can't change your mind.
You need to monitor security lists (Score:4, Interesting)
Don
OpenSSL in Java would be too slow (Score:4, Interesting)
For most applications, you are right that safety outweighs performance concerns. However, OpenSSL is in that 1% of applications where performance outweighs everything. It is a crypto library. Crypto is extremely CPU intensive.
OpenSSL is expected to run as fast as possible, to the point where parts of it aren't even written in C. The core bignum and hashing routines are written in assembly language for various platforms.
You even mentioned this caveat:
if you're not writing an OS, a game, or a calculation based app (lapack, etc...)
But you didn't seem to realize that this caveat certainly applies to OpenSSL (if ever there were a calculation based app, this is it).
Re:Non-Exploitable Security DOS Exploit (Score:3, Interesting)
Windows Update consists of at least 4 click-then-wait-a-while cycles before your software is updated, and several packages must be installed separately (MSIE, service packs, DirectX, etc). On Debian, at least, you can run one command (apt-get update && apt-get -y upgrade) that will often complete the entire upgrade process, without reboots, etc.
Also, apt-get will upgrade third-party software. Windows Update does not.