Announcement

Collapse
No announcement yet.

OpenSSH Clients Struck By New Security Vulnerability

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSSH Clients Struck By New Security Vulnerability

    Phoronix: OpenSSH Clients Struck By New Security Vulnerability

    Any OpenSSH client released in the past six years is prone to two vulnerabilities by malicious SSH servers that could cause memory disclosures and a buffer overflow...

    http://www.phoronix.com/scan.php?pag...SH-Client-Woes

  • #2
    Should I point out that this is from the people behind LibreSSL who were complaining extremely loudly about how completely incompetent the OpenSSL team was?

    ...or maybe computer security is actually hard?

    Comment


    • #3
      Originally posted by OneTimeShot View Post
      Should I point out that this is from the people behind LibreSSL who were complaining extremely loudly about how completely incompetent the OpenSSL team was?

      ...or maybe computer security is actually hard?
      There are languages in which buffer overflows are impossible thanks to strong typing (e.g. dependent typing, to be precise. And it doesn't bloat the executable, see e.g. ATS http://www.ats-lang.org/). C/C++ isn't one of them. Yes, computer security is hard, but also some of the problems are already solved. Unfortunately the security "experts" aren't professional enough since they dislike language that solve their problems. They WANT your systems to be compromised by using the decades old amateurish attempts at language design.

      Comment


      • #4
        Originally posted by OneTimeShot View Post
        Should I point out that this is from the people behind LibreSSL who were complaining extremely loudly about how completely incompetent the OpenSSL team was?

        ...or maybe computer security is actually hard?
        What? This is just a fix for two security bugs. The complaining about OpenSSL was because a flaw design and bad security practices.
        Last edited by rmiller; 01-14-2016, 06:09 PM.

        Comment


        • #5
          Originally posted by caligula View Post

          There are languages in which buffer overflows are impossible thanks to strong typing (e.g. dependent typing, to be precise. And it doesn't bloat the executable, see e.g. ATS http://www.ats-lang.org/). C/C++ isn't one of them. Yes, computer security is hard, but also some of the problems are already solved. Unfortunately the security "experts" aren't professional enough since they dislike language that solve their problems. They WANT your systems to be compromised by using the decades old amateurish attempts at language design.
          Modern C style offer a safe way for dealing with overflow without the complexity (and the security bugs) of modern high level languages. Also, most languages lacks of the amount of exploit mitigation techniques added by a C/C++ compiler.
          Last edited by rmiller; 01-14-2016, 06:13 PM.

          Comment


          • #6
            Originally posted by rmiller View Post
            What? This is just a fix for two security bugs. The complaining about OpenSSL was because a flaw design and bad security practices.
            Yeah - because that makes a difference to the people who are at risk? Remember that there was also a server SSH vulnerability for multiple years (that was ironically fixed in Sun's commercial branch).

            If this was Microsoft or Apple, or anyone else I'd just shrug and let it go - but I see no reason to go light on LibreSSL because they were **extremely** vitriolic (and personal) in attacking the OpenSSL team.

            Comment


            • #7
              Originally posted by OneTimeShot View Post

              Yeah - because that makes a difference to the people who are at risk? Remember that there was also a server SSH vulnerability for multiple years (that was ironically fixed in Sun's commercial branch).

              If this was Microsoft or Apple, or anyone else I'd just shrug and let it go - but I see no reason to go light on LibreSSL because they were **extremely** vitriolic (and personal) in attacking the OpenSSL team.
              Question: do you mean that the LibreSSL people wrote the feature that causes this bug? Because I don't remember LibreSSL being a thing 6 years ago. So what exactly about them are you criticizing in regards to this bug?

              Comment


              • #8
                Disabling a feature is not a fix.

                I use this feature a lot thanks to the crappiness of my Internet connection.

                Comment


                • #9
                  Originally posted by rmiller View Post

                  Modern C style offer a safe way for dealing with overflow without the complexity (and the security bugs) of modern high level languages. Also, most languages lacks of the amount of exploit mitigation techniques added by a C/C++ compiler.
                  What complexity and security bugs? Apparently you have no idea what you're talking about.

                  > most languages lacks of the amount of exploit mitigation techniques added by a C/C++ compiler

                  Does not parse.

                  Comment


                  • #10
                    Originally posted by OneTimeShot View Post

                    Yeah - because that makes a difference to the people who are at risk? Remember that there was also a server SSH vulnerability for multiple years (that was ironically fixed in Sun's commercial branch).

                    If this was Microsoft or Apple, or anyone else I'd just shrug and let it go - but I see no reason to go light on LibreSSL because they were **extremely** vitriolic (and personal) in attacking the OpenSSL team.
                    Obviously, follow good security practices makes a difference. Al least in term of security.

                    Comment

                    Working...
                    X