Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Open Source Software

OpenSSL Patches Eight New Vulnerabilities 79

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.
This discussion has been archived. No new comments can be posted.

OpenSSL Patches Eight New Vulnerabilities

Comments Filter:
  • Sick of this (Score:3, Insightful)

    by Anonymous Coward on Saturday January 10, 2015 @12:21AM (#48779639)

    LibreSSL can't come soon enough.

    • by Anonymous Coward

      A library with bugs in it? An open source project is getting fixed as more people look at it? The hell you say.... Next you will be telling me they fix bugs in the kernel.... weeeeeeeeeeird....

      • by Anonymous Coward

        Five of those vulnerabilites are two and a half months old. I don't care how "low" the severity is, it should not take that long to be patched.

  • by slincolne ( 1111555 ) on Saturday January 10, 2015 @01:38AM (#48779819)
    The beauty of Open Source is that when issues like this are discovered, they are dealt with.

    With a closed source product you basically have to trust the vendor to get it right, and to patch defects in a timely manner.

    OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

    I just wish that the big players who use this in their products would support the developers - and make it a better outcome for all of us who rely on this product.

    • OpenSSL is a classic demonstration of two of the truths of computer programming - namely that good cryptography is HARD.

      #2: write readable and maintainable code.

    • by Lennie ( 16154 )

      I think this is a good sign for a differerent reason.

      We all know OpenSSL could be a lot better. Supposedly they got more funding.

      If they are busy finding and fixing bugs that's could be a good thing.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

      Or possibly that people who are good at cryptography aren't necessarily very good at programming.
      Many of the bugs has nothing to do with cryptography but are the result of bad programming practices in general.

    • OpenSSL is a classic demonstration of one of the truths of computer programming - namely that good cryptography is HARD.

      OpenSSL is a mess that demonstrates nothing of the sort. Cryptography is hard but openSSL lost before getting to that point by having horrid coding practices.

      If you want to have a clear understanding of how bad it is, the OpenBSD team is live blogging the mess as they clean it up. [opensslrampage.org] In short, OpenSSL was not written by a responsible (or entirely competent) dev team.

  • OpenSSL patches eight old vulnerabilities

    FTFY. They are newly discovered, but not new.

  • I feel it would make most sense if they plan for the abolishing of OpenSSL in favor of a new library called OpenTLS.

    Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future. For instance, don’t copy SSL or TLS 1.0 to the new fork. Nobody should be using SSL anyway so it can easily stay out of the new OpenTLS.

    The new OpenTLS library can then be cleaned up and strenghtened without causing too much harm to users of legacy OpenSSL, althou

    • by Anonymous Coward

      I think the LibreSSL people have shown that any such project should probably be restarted from scratch.

      Overall, my experience with dealing with various libraries is that what someone really needs is to write a library that basically wraps connect() accept() write() read() and close() so that people can just do SSL without needing a billion steps that are poorly documented and trivial to completely fuck up.

      While I'm begging, I'd also like someone to make a modern SSL cert tool that handles all the fancy shit

    • by phantomfive ( 622387 ) on Saturday January 10, 2015 @01:25PM (#48782035) Journal

      Fork OpenSSL to OpenTLS but only take those technologies that are currently known to be good/safe and still have some future.

      It's a fine idea but it wouldn't help you because the problem isn't the algorithm, the problem is the code. OpenSSL is known to have bugs in its TLS code, too. The problems here start even before getting to the algorithm.

    • by greg1104 ( 461138 ) <gsmith@gregsmith.com> on Saturday January 10, 2015 @02:24PM (#48782395) Homepage

      Been tried already; see gnutls [gnutls.org]. We tried to switch from OpenSSL to gnutls as the preferred SSL library for PostgreSQL a few years back, even got some press coverage [lwn.net] documenting the whole thing. But, sadly, OpenSSL has too many quirky APIs to make a transition away from it easy. And anyone who tries to be "bug compatible" creating a replacement to that mess is going to inherit some of the same bad design that needs to be burned with fire.

    • Uhm, it's already been done: libressl

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...