Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy The Internet

Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs (arstechnica.com) 61

An anonymous reader cites a story on Ars Technica: Maintainers of the OpenSSL cryptographic library have patched high-severity holes that could make it possible for attackers to decrypt login credentials or execute malicious code on Web servers. The updates were released Tuesday morning for both versions 1.0.1 and 1.0.2 of OpenSSL, which a large portion of the Internet relies on to cryptographically protect sensitive Web and e-mail traffic using the transport layer security protocol. OpenSSL advisories labeled the severity of both vulnerabilities "high," meaning the updates fixing them should be installed as soon as possible. The fixes bring the latest supported versions to 1.0.1t and 1.0.2h. The decryption vulnerability is the result of what cryptographers call a padding oracle weakness, which allows attackers to repeatedly probe an encrypted payload for clues about the plaintext content inside. According to TLS expert Filippo Valsorda, the bug allows for only 16 bytes of encrypted traffic to be recovered, and even then only when an end user sends it repeatedly.
This discussion has been archived. No new comments can be posted.

Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs

Comments Filter:
  • by jfdavis668 ( 1414919 ) on Wednesday May 04, 2016 @01:43PM (#52047143)
    That's a relief.
  • Don't hold back (Score:4, Insightful)

    by halivar ( 535827 ) <.bfelger. .at. .gmail.com.> on Wednesday May 04, 2016 @01:47PM (#52047195)

    Tell us how you really feel about OpenSSL.

    • For me, OpenSSL is irrelevant. I switched to mbed TLS (former PolarSSL) years ago. Never cared to look back.
  • Aging and Bloated OpenSSL Is Purged of 2 High-Severity Bugs

    The way that headline is phrased makes me want to call the Elder Abuse Hotline.

  • Truly open (Score:5, Funny)

    by Aethedor ( 973725 ) on Wednesday May 04, 2016 @02:09PM (#52047427)
    Well, at least they've chosen the right name. It's truly open...
  • by WaffleMonster ( 969671 ) on Wednesday May 04, 2016 @02:54PM (#52047887)

    "We have released LibreSSL 2.3.4, which will be arriving in the
    LibreSSL directory of your local OpenBSD mirror soon.

    This release is based on the stable OpenBSD 5.9 branch.

                    * Fix multiple vulnerabilities in libcrypto relating to ASN.1 and encoding.
                From OpenSSL."

    • by steveha ( 103154 )

      What a coincidence

      I'm not sure what your point is. Would you prefer that LibreSSL not acknowledge that OpenSSL found the bugs first? Are you implying that LibreSSL should have found the bugs first? Are you implying that there is no valid reason to prefer LibreSSL to OpenSSL given that LibreSSL clearly isn't perfect?

      How about if you just come right out and say what you mean, instead of making me guess?

      Looking at the history [wikipedia.org] it's clear that LibreSSL has had fewer issues than OpenSSL, especially of severity

      • I'm not sure what your point is. Would you prefer that LibreSSL not acknowledge that OpenSSL found the bugs first? Are you implying that LibreSSL should have found the bugs first? Are you implying that there is no valid reason to prefer LibreSSL to OpenSSL given that LibreSSL clearly isn't perfect?

        The point is they are all bad. Bragging about LibreSSL not being vulnerable to shit (In majority of instances affected feature stripped from software) is like two idiots fighting over who is smarter.

        What would have impressed me is if LibreSSL took the time up front to re-architect software to be inherently more secure. Instead what they did was function level changes, delete features THEY didn't want along with trash much of the cross platform compatibility.

        OpenSSL needs more than just a paint job. Libre

        • by steveha ( 103154 )

          Thank you for answering my question.

          My understanding is that LibreSSL was intended to be a drop-in replacement for OpenSSL. The LibreSSL guys grumbled a lot about some of the quirks in the OpenSSL API, but they had to implement the same API to be a drop-in replacement. Also writing this sort of software can be tricky to get right, and for all its faults OpenSSL does have a lot of stuff done right. Overall I think forking was a sane choice.

          Within the limits of my own knowledge, and what I know about OpenS

  • by DerekLyons ( 302214 ) <fairwater.gmail@com> on Wednesday May 04, 2016 @04:26PM (#52048801) Homepage

    "the bug was introduced in the 2013 patch"

    Yep. With Open Source, there's a lot of eyes on code and this kinda stuff doesn't happen like it does with proprietary code.

    • You're right. We fixed it in 3 years here. Now with proprietary code... well let's just say the first you'll find out about it is if someone is paid money to actively exploit it.

      Now of interest is that the issue was discovered 2 days ago and is already fixed. How fast do proprietary companies react to critical vulnerabilities? I'll tell you in 5 weeks.

      • I always laugh my ass off when the deeply religious offer prayers in response to inconvenient facts.

        Or, to put it another way, your response is completely and utterly irrelevant to my statement. That sound you heard was my point whooshing far over your head.

        • I always laugh my ass off when the deeply religious offer prayers in response to inconvenient facts.

          Yeah an inconvenient fact that a bug was fixed within a day of it being noticed, when the alternate is never finding it and not knowing how long it takes to fix with no guarantee that it ever does? PRAISE THE LORD STALLMAN!!!! FOR HE IS OUR SAVIOUR!!!!

          Or, to put it another way, your response is completely and utterly irrelevant to my statement.

          *Sigh* have you tried turning your brain off and on again?

  • Can we get rid of this unmtained jumbled dinosaur with something more modern and actual ready for real e-commerce? Do we really need OpenVMS compability and it's own malloc() calls of LibreOSSL.

    Unfortunately, we can't just expect all the system administrators and developers, and fortune 1000 companies to leave OpenSSL. Too much red tape and client contracts dictate OpenSSL and some software is coded to break if the string doesn't say "OpenSSL".

    • by Anonymous Coward

      LibreSSL had these same defects.

  • I don't want some backward compatable OpenSSL such as LibreSSL, I want something entirely new, something fresh and tight. The vast majority of the crypto supported by OpenSSL isn't even recommend. All kinds of crypto standards are now dead, MD5 to name just one.

    Thus I want a new easy to use library that only covers the latest and has a clear path for moving forward.

    Part of that path could be a method for abandoning various protocols/standards so that they leave the core library but are available for p
    • I don't want some backward compatable OpenSSL such as LibreSSL

      You can choose between GNTTLS, NSS, and a handful of others.

      I want something entirely new,

      New code = new bugs

      It also won't help with the thousands of programs written against the OpenSSL API. The libreSSL library provides a mostly compatible API, so those old programs get the benefit of new security and is providing a new API so they can be slowly migrated.

"I am, therefore I am." -- Akira

Working...