Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Multiple Vulnerabilities in OpenSSL

CowboyNeal posted more than 10 years ago | from the stay-safe-stay-current dept.

Security 274

gfilion writes "Updated versions of OpenSSL are now available which correct two security issues: A null-pointer assignment during SSL handshake and an out-of-bounds read that affects Kerberos ciphersuites. Full advisory available on OpenSSL site and US-CERT."

cancel ×

274 comments

Sorry! There are no comments related to the filter you selected.

Yea, yea... (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8606531)

OMG TEH LINUX ISN'T 110% UBER-SECURE. We know. Yea, the patch was released almost immediately, we know that too.

Carry on.

teh funney (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8606539)

Frist post! [senate.gov]

Non-Exploitable Security DOS Exploit (2, Informative)

jstockdale (258118) | more than 10 years ago | (#8606540)

News at 11

Honestly people, is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago, and a fixed version of OpenSSL is already available.

CVSup; make buildworld && make installworld

Problem solved.

Re:Non-Exploitable Security DOS Exploit (5, Insightful)

BlueCodeWarrior (638065) | more than 10 years ago | (#8606591)

For those of us not on the FreeBSD mailing list, it is.

Re:Non-Exploitable Security DOS Exploit (-1)

Anonymous Coward | more than 10 years ago | (#8606877)

if your running any kind of server you should be subscribed to the mailinglists of the product your using..

Re:Non-Exploitable Security DOS Exploit (2, Flamebait)

Canberra Bob (763479) | more than 10 years ago | (#8606596)

Yes, but *BSD takes security in general a lot more seriously.

Rather than racing around trying to be all things to all people, the *BSD developers concentrate on what they are good at: developing a darn good server OS.

For your average Linux user, this will be treated as a nuisance that interrupts them trying to get the latest unstable kernel compiled, for your average *BSD user, this is important stuff that affects the security of their IT infrastructure.

Re:Non-Exploitable Security DOS Exploit (2, Insightful)

Anonymous Coward | more than 10 years ago | (#8606739)

Wow, aren't we pretentious and elite today? I could just as easily say that the average Linux user just waits for cron-apt or something similar to pull in the fixed packages when they are made available by their distribution, which is a far more realistic claim, yet equally as handwaving and vacuous as the one you made.

Get a life.

Re:Non-Exploitable Security DOS Exploit (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8606828)

How the fuck did this get modded insightful? Jesus.

Re:Non-Exploitable Security DOS Exploit (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8606861)

Fantastic Troll!

Dictionary.com's entry for prententious should link to your post.

Re:Non-Exploitable Security DOS Exploit (5, Insightful)

stratjakt (596332) | more than 10 years ago | (#8606635)

It's certainly front page news if there's a non-exploitable flaw in Windows for which a patch has been released.

cvs, make and build sure.. But when it's click windows update, somehow it's some monumental task thats just the worst thing imaginable.

Re:Non-Exploitable Security DOS Exploit (4, Informative)

MobyTurbo (537363) | more than 10 years ago | (#8606655)

Honestly people, is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago, and a fixed version of OpenSSL is already available.

Slackware Linux [slackware.com] also has this fixed. Incidentally, like the parent's subject line says, this is a minor vulnerability that at the most makes openssl crash, not an exploit or a trojan like all the stuff we've been seeing about Windows on /. lately.

Re:Non-Exploitable Security DOS Exploit (4, Insightful)

KidSock (150684) | more than 10 years ago | (#8606660)

...is this really /. front page news? This came out on the FreeBSD mailing list 36 hrs ago.

Yes. Most of us are not on the FreeBSD mailing list. Instead we wait for the more mainstream outlets like ./ to report the problem. Also it's good to wait about 36 hours or so for the fix to go through the motions as the sudden intrest rattles free other problems.

The A-Team (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8606669)

In 1972, a crack commando unit was sent to prison by a military court for a crime they didn't commit.

They promptly escaped from a maximum security stockade to the Los Angeles underground. Today, still wanted by the government, they survive as soldiers of fortune.

If you have a problem, if no-one else can help, and if you can find them, maybe you can hire the A-Team.

hey that's pretty good, man (0)

Anonymous Coward | more than 10 years ago | (#8606935)

maybe your should like, make a movie or something. i think it has potential.

Re:Non-Exploitable Security DOS Exploit (4, Interesting)

ewhac (5844) | more than 10 years ago | (#8606733)

CVSup; make buildworld && make installworld

For people who've never done this before (such as myself), this is an intimidating operation; care to walk me through it? It also glosses over insignificant little details, such as:

  • How do you set up your supfile?
  • Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?
  • Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports? (E.g. I'm using postfix, thankyouverymuch, and don't want sendmail to reappear.)

Dumb questions I'm sure, but the answers have never been revealed in a form I can understand.

Schwab

Re:Non-Exploitable Security DOS Exploit (5, Informative)

Anonymous Coward | more than 10 years ago | (#8606791)

How do you set up your supfile?

Copy it from /usr/share/examples/ (it's somewhere in there, I think, my FreeBSD box isn't running at the moment, I've poached some of its hardware).

Over a period of several updates, how do you avoid having stale libraries/executables/config files scattered all over your machine?

That's a fine question indeed. What I do is:

make DESTDIR=/usr/local/fake_root distrib-dirs distribution

make DESTDIR=/usr/local/fake_root installworld

make DESTDIR=/usr/local/fake_root installkernel KERNCONF=foobar

Then you can compare the contents of /usr/local/fake_root and stuff in /. I like find and sort and vimdiff to do that. It's not super elegant, but you don't have to do it too often if you're tracking something like RELENG_4_9, since rarely do things get updated. What you would use it for is when you make changes to the base, which leads me to:

Is there a risk that 'make installworld' will silently overwrite a functional replacement previously installed from ports?

Yes! But you can get around it. In /etc/make.conf, do:

NO_SENDMAIL=true

Now sendmail won't be built, although its stale files will hang around; refer to point 2 above.

You'll also, in rc.conf, want:

sendmail_enable="YES"

sendmail_flags="-bd"

sendmail_outbound_enable="NO"

sendmail_submit_enable="NO"

sendmail_msp_queue_enable="NO"

At least for Postfix, which you say you use.

Re:Non-Exploitable Security DOS Exploit (1)

dasmegabyte (267018) | more than 10 years ago | (#8606830)

Really?

What I do is "emerge -u openssl."

For me it seems easier, but what the hell do I know.

Re:Non-Exploitable Security DOS Exploit (1, Funny)

Anonymous Coward | more than 10 years ago | (#8606879)

You're such a dork.

Re:Non-Exploitable Security DOS Exploit (1)

sublimespot (265560) | more than 10 years ago | (#8606872)

Agreed. I updated my servers over 24 hours ago

3 actually (4, Informative)

chrisopherpace (756918) | more than 10 years ago | (#8606546)

According to this link
Here [uniras.gov.uk]
There are three vulnerabilities.
This was, like, sooo yesterday on the Bugtraq lists ;)

Re:3 actually (4, Funny)

Anonymous Coward | more than 10 years ago | (#8606562)

Let me summarize this whole thread so we don't waste anytime:

Microsoft fans - "see, Linux/FOSS have security issues too"

Linux fans - "yeah, but we fixed this right away. If this was Microsoft, we would have been waiting for months"

Repeat again and again..

Netx topic please..

Re:3 actually (4, Informative)

chrisopherpace (756918) | more than 10 years ago | (#8606652)

Not to troll, but OpenSSL is not Linux, and Linux is not OpenSSL.

Re:3 actually (3, Funny)

smitty_one_each (243267) | more than 10 years ago | (#8606710)

You're flying too low to see the us/them dichotomy going on, boss.

Re:3 actually (2, Funny)

Anonymous Coward | more than 10 years ago | (#8606732)

hate to troll either but all the Microsoft fans on slashdot are Microsoft Employees. I know this because I am one. I am too ashamed to admit it in public but hay, the pay is great.

Re:3 actually (0)

Anonymous Coward | more than 10 years ago | (#8606786)

It pays well to be a whore...

Re:3 actually (5, Funny)

fermion (181285) | more than 10 years ago | (#8606890)

Anyway we all know the problem isn't MS, the problem is C. It is such a 1970 type of language. Back when programmers were randomly jumping from place to place, casting memory as whatever type of data pleased them, recasting the data in function calls, copying blocks of data without a care of whether the blocks really existed, and, in this case, assigning NULL pointers all willy nilly. I mean really. No programmer educated in the past 15 years actually has the skill to remember that the void pointer pointer which in the last call has the value of the beginning of a three dimensional array, now points to the beginning of four dimensional array, which, of course, is complicated by the fact that such beasts only exist in the mind of the programmer, and not in any specific language construct, pointer math being one of those fictional things beat into the heads of the unfortunate programmers trained 20 years ago. And let's not even talk about the infinite loop idiom.

Anyway, we need to rewrite the entire thing in the elegant languages of the 21st century. I suggest this [slashdot.org]

Re:3 actually (4, Informative)

Siva (6132) | more than 10 years ago | (#8606576)

true, but one was in an older-than-current version. not to say it shouldn't be noted, of course...

Let's be like M$... (4, Funny)

barfarf (544609) | more than 10 years ago | (#8606556)

I think we should be like Microsoft and not tell anyone about it until it's already patched.

... oh, wait....

Re:Let's be like M$... (4, Funny)

Trejkaz (615352) | more than 10 years ago | (#8606588)

But remember, according to Microsoft the exploits can't exist until after the patch is released anyway.

Re:Let's be like M$... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8606605)

Unless you have the source code, of course.

Re:Let's be like M$... (0)

Anonymous Coward | more than 10 years ago | (#8606927)

Boy, Microsoft has been creating a LOT of exploits! Someone should sue them for all those exploits!

Re:Let's be like M$... (4, Insightful)

thedillybar (677116) | more than 10 years ago | (#8606646)

They didn't tell anyone until a patch was available. Note that the vulnerability was announced Wednesday, and it included a link for the patch (openssl-0.9.7d) when it was released.

It's fairly reasonable to assume that the developers knew of the vulnerability some time before the new version became available.

I think it's good practice to do this if you can develop the new version fast enough. Announcing it early is only inviting someone to exploit it. I doubt anyone will fix the vulnerability themselves and put it into production before the official release comes out.

Re:Let's be like M$... (0, Offtopic)

Anonymous Coward | more than 10 years ago | (#8606747)

Let's be like M$
Dear Slashdot,

Please add "M$" to the Lameness Filter.

Thanks,

-Mature Members of Slashdot Community

Re:Let's be like M$... (0, Offtopic)

Anonymous Coward | more than 10 years ago | (#8606762)

Dear Slashdot,

Please don't listen to people too cowardly to use their real account.

Thanks,

-Minister for Irony

Re:Let's be like M$... (0)

webtre (717698) | more than 10 years ago | (#8606867)

Dear AC,

Stop your anonymous trolling.

Fuck you,

-Webtre

Re:Let's be like M$... (0)

Anonymous Coward | more than 10 years ago | (#8606889)

The hilarious thing about your post is, some people will seriously agree with what you said.

Re:Let's be like M$... (0)

Anonymous Coward | more than 10 years ago | (#8606763)

boo, hiss.

They can only cause my servers to crash (0, Funny)

Anonymous Coward | more than 10 years ago | (#8606559)

which they do regularly anyway, thanks to cheap-ass Fry's RAM, ECS motherboards that cost $19.95, and republican style electricity service.

I'll update when I feel like it.

Patch updates are NOT news (-1, Troll)

superpulpsicle (533373) | more than 10 years ago | (#8606564)

Why is /. bombarded on a daily basis with news about patches and fixes?! I can understand freeware or cool demos... but patches is kinda pushing it.

Re:Patch updates are NOT news (5, Funny)

pompousjerk (210156) | more than 10 years ago | (#8606624)

I'm betting that there are a large number of sysadmins who pay more attention to /. than they do to keeping systems up to date.

Re:Patch updates are NOT news (1)

Nasarius (593729) | more than 10 years ago | (#8606682)

It's not that difficult these days. Set up a cron job to do "emerge sync && emerge -uD world" or the equivalent every 24 hours. No attention required.

Re:Patch updates are NOT news (2, Insightful)

Mr. Ophidian Jones (653797) | more than 10 years ago | (#8606809)

Set up a cron job to do "emerge sync && emerge -uD world" or the equivalent every 24 hours. No attention required.

Until someone roots the Gentoo servers....

They are if you just got hacked... (1, Informative)

jarich (733129) | more than 10 years ago | (#8606643)

I have a friend who left his ssh server up overnight on a brand new mandrake box... (I know, he shouldn't have, but he did).

Next morning, box his linux and windows box had been compromised.

Slashdot is a great forum for this type of critical patch. Gets the news out very quickly to people who dont read the security sites everyday.

Re:They are if you just got hacked... (1)

stratjakt (596332) | more than 10 years ago | (#8606658)

why should you not leave ssh up? it insecure or something?

Re:They are if you just got hacked... (0)

Anonymous Coward | more than 10 years ago | (#8606731)

yes. well, openssh is..

Re:They are if you just got hacked... (0)

Anonymous Coward | more than 10 years ago | (#8606734)

Umm yeah, seeing as it uses OpenSSL. Fuckwit. Don't get smart next time.

Re:They are if you just got hacked... (1, Informative)

Anonymous Coward | more than 10 years ago | (#8606838)

This vulnerability isn't an exploitable hole, just a DOS, shit-for-brains. Has nothing to do with the security holes in OpenSSH.

Re:They are if you just got hacked... (2, Informative)

jarich (733129) | more than 10 years ago | (#8606802)

Leaving up a service you don't need is not a smart thing to do. My friend didn't need SSH up anymore (he had temporarily) but he thought there was no reason to take it down, so he left the port open on his router.

Next morning, things were hosed. :(

The moral is if you need SSH, FTP or any other service up, keep one eye BugTraq... but slashdot posts a lot of the good ones for those of us who don't have time to read everything.

But, if you don't have a need for the service, shut down the port! NEVER leave up a port you don't need up. There are tons of script kiddies out there just trolling for an opening. If you don't belive me, just turn on the logging for your router and watch the probes go rolling by.

Re:They are if you just got hacked... (2, Funny)

Anonymous Coward | more than 10 years ago | (#8606814)

It puts the patches on the server, or else it gets the hose again.

Re:They are if you just got hacked... (1)

NuShrike (561140) | more than 10 years ago | (#8606923)

Had my OpenSSH online for years as most other people.. What's the problem?

Re:They are if you just got hacked... (1)

Bikini Kill (678047) | more than 10 years ago | (#8606753)

Is your friend 100% positive that this vulnerability is to blame? All the reports say that it is a Denial of Service vulnerability rather than one that allows execution of arbitrary code...

Re:They are if you just got hacked... (0)

Anonymous Coward | more than 10 years ago | (#8606781)

openssl != openssh

dumbass (0)

Anonymous Coward | more than 10 years ago | (#8606907)

openssh uses openssl, retard

your lame attempt at being cool by using programming operators just makes you look more stupid, fucko

Re:They are if you just got hacked... (1)

jarich (733129) | more than 10 years ago | (#8606783)

He doesn't know what was to blame... he only had Apache and SSH open though.

get on the security mailing list for your OS (0)

Anonymous Coward | more than 10 years ago | (#8606784)

I subscribe to debian-security-announce, and I got a msg about the openssl problem sometime last night (it was in my inbox this morning).
That's the fastest and most reliable way to keep up-to-date.

Re:They are if you just got hacked... (0)

Anonymous Coward | more than 10 years ago | (#8606831)

could you be a little more specific.. i.e. versions of packages involved, or the version of the distro?

Validate untrusted data! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8606568)

With a security critical project like OpenSSL, you would think the developers would validate incoming data. For some odd reason, the OpenSSL developers seem to think performance is more important than security.

I concur! (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8606618)

I concur, we should force OpenSSL to port to Java. Or at the very least, put in a requirement on Hardened GCC!

Re:Validate untrusted data! (0)

Anonymous Coward | more than 10 years ago | (#8606788)

This is exactly the reasons Bondage & Discipline Languages like Jave and C# exist. Every programmer wants to believe he is the alpha-type and so tries to make his code run the fastest, but doesn't want to do the less glorious work of validating pointers (perhaps encapsulated in a class if necessary for security products--something that C++ is actually good for), checking bounds, and documentation (one of the most overlooked and most important parts of an open source project--how useful is 1000 eyes if they don't understand what you are doing). Take away these difficulties, except documentation, and you minimize stupid programmer errors. Sure it doesn't run as fast, but thats hardly the prime design requirement for security software.

Uhh (0)

Anonymous Coward | more than 10 years ago | (#8606571)

A good admin doesnt need /. to tell them that their OpenSSL is vulnerable.

Re:Uhh (2, Funny)

Anonymous Coward | more than 10 years ago | (#8606709)

And a dog doesn't need slashdot to tell him where the nearest bone is buried.

Point being: slashdot isn't news for good admins. It's news for nerds that are hopelessly wrapped up in battle between Open Source and the evil Micro$haft corporation that they fabricated to bring some drama to their dreary lives.

Hellooooo -1 country!

slashdot - soap opera for nerds (0)

Anonymous Coward | more than 10 years ago | (#8606810)

And I don't mean Simple Object Access Protocol...

It's not as if (1)

Chuck Chunder (21021) | more than 10 years ago | (#8606931)

there's a shortage of admins in the bad to mediocre range though.

Actual Threat? (2, Interesting)

Anonymous Coward | more than 10 years ago | (#8606572)

Already updated, but (w/o Kerberos) could this actually lead to anything more than the crashing of sshd and httpd child processes (assuming that's all one's using OpenSSL for)?

Re:Actual Threat? (2, Interesting)

$0 31337 (225572) | more than 10 years ago | (#8606589)

Well I suppose that the answer is no considering that the CERT Advisory, OpenSSL site, Other numerous sites say "This can lead to a DoS attack" and don't mention anything else. RTFA.

Re:Actual Threat? (1, Interesting)

Anonymous Coward | more than 10 years ago | (#8606617)

Right. My point is, if the parent process lives on and can continue to spawn children for valid requests, is this DoS actually not much more destructive (with the possible exception of disk space for core files) than someone making "unneeded" connections?

Re:Actual Threat? (2, Interesting)

$0 31337 (225572) | more than 10 years ago | (#8606649)

One of the problems is that a remote attacker could cause an infinite loop which would hang the parent process so yes, this could be a problem.

Hmmm... (-1, Redundant)

c4Ff3In3 4ddiC+ (661808) | more than 10 years ago | (#8606581)

Seems that I'm already patched... Move on!

Re:Hmmm... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8606738)

d00d! j00r n4m3 1z s00 8i7ch3n!

before the trolls start... (4, Insightful)

contrasutra (640313) | more than 10 years ago | (#8606590)

Please don't comment "so I guess Windows isn't so insecure, is it...". We always seem to get a few of these. OpenSSL/OpenBSD has a VERY good security track record. Is a vulnerability a problem? Yes, but when MS has OpenBSD's track record, you can compare.

Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.

Oh well, sometimes you just have to combat the trolls.

Re:before the trolls start... (5, Informative)

Trejkaz (615352) | more than 10 years ago | (#8606600)

In particular, if you were running OpenSSH on Windows, which still depends on OpenSSL, then you are still in trouble. This isn't an OS security problem, it's a library security problem.

Re:before the trolls start... (1)

DeputySpade (458056) | more than 10 years ago | (#8606752)

Also I think this is a good news post simply because it helps to show we're not Anti-windows bias. We report security problems on ALL os's.

Um... Yeah. Because this is where I go for all the breaking news in the HP-UX or AIX world, right? Sorry. Half the crowd is pro-windows biased, half the crowd is anti-windows biased and half the crowd lies by saying they aren't biased either way. You only hear about the OSs that make for a good holy war on /. because if you don't have a bunch of biased zealots running around screaming, what fun is it? That means you will only ever hear about windows problems from the anti-windows dorks, and the most common Open Source operating systems' problems from the pro-windows dorks.

Don't kid yourself into believing that /. a) is unbiased, or b) reports on the full set of "stuff that matters".

Re:before the trolls start... (0)

Anonymous Coward | more than 10 years ago | (#8606803)

And indeed, it looks like this story was submitted by a Pro-Windows dork.

Re:before the trolls start... (1)

mrtroy (640746) | more than 10 years ago | (#8606850)

Half the crowd is pro-windows biased, half the crowd is anti-windows biased and half the crowd lies by saying they aren't biased either way.

150% of the crowd cannot even use correct percentages, and make subjective opinions on matters they know nothing about :)

But keep on trucking...you hit quite a few good catchphrases, including but not limited to: pro-windows *3, anti-windows *2, OS *2, zealot, dorks*2, open source, /. * 2, bias *3

Re:before the trolls start... (3, Informative)

thebatlab (468898) | more than 10 years ago | (#8606898)

Not that I entirely agree with him (and not that I don't ;)) but his math is just fine . 100% are biased in some direction, 50% don't admit it. Works by my account.

Re:before the trolls start... (0)

Anonymous Coward | more than 10 years ago | (#8606914)

Because someone can't be biased and not admit it?

Re:before the trolls start... (4, Funny)

doomy (7461) | more than 10 years ago | (#8606840)

Yes, but when MS has OpenBSD's track record, you can compare.

This just out from MSFT:
Only one remote hole in Windows XP, since yesterday.

this is not a troll (0)

Anonymous Coward | more than 10 years ago | (#8606885)

I'm in the process of trying to figure out Windows security. So far it's a bloody mess. For all the byzantine token-passing and ACL's, the damn thing is still getting compromised left and right.
Maybe they should scrap it all and start over. I don't recommend them following the Unix security model either, cause that root=god thing ain't all that either.

Why Is This Happening? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8606598)

I don't understand; so may eyes. Why do these
security breaches keep showing up in open-source
code?

Re:Why Is This Happening? (0)

Anonymous Coward | more than 10 years ago | (#8606627)

because it's more complicated code than "hello, world!"

Re:Why Is This Happening? (0)

Anonymous Coward | more than 10 years ago | (#8606650)

Hey, SOMEONE found out about it. Har har har!

Because people aren't whipped and beaten enough to learn to stop making mistakes.

Re:Why Is This Happening? (3, Insightful)

nathanhart (754532) | more than 10 years ago | (#8606727)

Probally has something to do with many people being able to do code audits freely and of course submit their fix for it ;)

Re:Why Is This Happening? (0)

Anonymous Coward | more than 10 years ago | (#8606746)

Probably because, as with homepages, weblogs, ammusing photoshops and 99% of everything else on the internet, the author is the only person that reads their work.

Just because it's open source doesn't mean anyone else is reading it!

new version of windows ... (-1, Troll)

vivek7006 (585218) | more than 10 years ago | (#8606616)

Here is the new [deanliou.com] version of windows with updated versions of OpenSSL

Re:new version of windows ... (0)

Anonymous Coward | more than 10 years ago | (#8606740)

Mod parent up. This is hilarious !!

Bullshit... (4, Funny)

Anonymous Coward | more than 10 years ago | (#8606623)

Everything is fine, firewall is quiet, and I dont think a single box wiL#%*#AT+H+H[NO CARRIER]

For the love of god (5, Funny)

Anonymous Coward | more than 10 years ago | (#8606750)

Please let the 'no proble...[NO CARRIER]' joke die. It is less funny than recursive acronyms, number representation wackiness, or 'yet another' names for programs.

Okay, maybe not less funny - but just as unfunny.

Old news (2, Insightful)

macdaddy (38372) | more than 10 years ago | (#8606711)

I mean this is over a day old now. Why it took CERT so long to send the advisory I don't know.

Re:Old news (1)

hattmoward (695554) | more than 10 years ago | (#8606793)

CERT (US-CERT) has been slower since USDOHS got on the scene. They've slowed quite a bit, but maybe they're doing a lot more behind-the-scenes work with organizing patches, releases, and the like.

Speedy Cert (1)

SuperBanana (662181) | more than 10 years ago | (#8606909)

Why it took CERT so long to send the advisory I don't know.

You're joking, right? A day is flat-out amazing. CERT used to take months to announce stuff. It was a joke; I unsubscribed because at the time, I found out about stuff in updated RPM changelogs well ahead of when I read it in one of CERT's email alerts. They'd often take over a week to send an email out about a virus that had already thoroughly spread.

Move along (4, Informative)

Dalcius (587481) | more than 10 years ago | (#8606716)

Nothing really to see here folks. Both attacks crash the SSL server, so we're looking at DOS attacks and not 'holes'. This is certainly serious for the business who relies on it, but for home networks and casual use (which I'm sure is common among slashdotters) this is no sweat.

Nice to hear that they found the holes, though. :)

RedHat 7.2/7.3 not supported, yet (1)

mcrbids (148650) | more than 10 years ago | (#8606829)

As of the time of this writing, yum repositories for Fedora Legacy 7.2 have does *NOT* have these updates!!!

Re:RedHat 7.2/7.3 not supported, yet (0)

Anonymous Coward | more than 10 years ago | (#8606846)

If this is a production machine, why don't you update it yourself?

You can't afford to wait on a bunch of unpaid volunteers to get around to compiling the new package and packaging it into an RPM. They've got paid jobs, I imagine.

Re:RedHat 7.2/7.3 not supported, yet (1)

$0 31337 (225572) | more than 10 years ago | (#8606900)

wget http://www.openssl.org/source/openssl-0.9.7d.tar.g z

Decompress/configure/make/make install

If you can't compile source code then you shouldn't be a sysadmin.

Re:RedHat 7.2/7.3 not supported, yet (1)

mcrbids (148650) | more than 10 years ago | (#8606943)

If you can't compile source code then you shouldn't be a sysadmin.

If you enjoy torturing yourself, compile everything from scratch. Once you've done this, you have to chase down every update in anything you ever compile for the duration of the life of the machine, as well as beat out any changed dependencies.

It's not as bad if/when you use a tool like checkinstall...

Core 1 not supported, yet either (0)

Anonymous Coward | more than 10 years ago | (#8606932)

Makes me wish I were running Gentoo.

old news (1, Funny)

Anonymous Coward | more than 10 years ago | (#8606851)

i patched this like ten hours ago.

omg@! (-1, Troll)

Anonymous Coward | more than 10 years ago | (#8606886)

I can't believe Microshaft is always releasing such crap! ! it's not liek the OPEN SORCE develpars would put out crap lije thsu !

Not too big of an issue... (5, Informative)

InvaderXimian (609659) | more than 10 years ago | (#8606891)

Considering most setups (namely FreeBSD ones) aren't affected because this is a problem with Kerberos ciphersuites and the OpenSSL code is extremely MIT Kerberos specific so this flaw doesn't affect it.

From the FreeBSD security list:

If one compiles OpenSSL oneself, *and* has MIT Kerberos, *and*
> enables the Kerberos options, *and* has all ciphersuites (or at least
> the Kerberos ciphersuites) specified in your application's
> configuration, then you might be affected. But that has nothing to
> do with FreeBSD.
> Thus, answering your question again:
>
> Isn't FreeBSD vulnerable to the second "Out-of-bounds read affects
> Kerberos ciphersuites" security problem?
>
> No, FreeBSD is not.

DONT FIX (1, Funny)

ocularDeathRay (760450) | more than 10 years ago | (#8606901)

Whatever you do... don't release a patch for these problems anymore.. I hear from an "industry leader" that exploits only happen after a patch is released.

better safe than sorry!!!

*CHANTING*
"JUST GIVE HUGS... don't fix bugs!"
"START FROM SCRATCH... don't release that patch!"
and...so on
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>