Originally posted by MadCatX
View Post
Announcement
Collapse
No announcement yet.
OpenSSL Outlines Two High Severity Vulnerabilities
Collapse
X
-
-
Originally posted by birdie View PostToo much ado about very little if anything.
1) This only affects systems which verify remote X.509 TLS certificates.
2) This needs a special stack layout and doesn't affect Linux systems.
Not that many Web servers on the Internet even do it. Fedora 37 was delayed for this. I'm pretty sure some people in Fedora/RedHat knew everything yet they've still delayed the next release. An update for Fedora 35/36 has been pushed to testing, not even stable updates.
TLDR: This is "critical" for non-Linux OSes and only systems which deal with user-supplied X.509 certificates. Move on.
- Likes 1
Comment
-
Originally posted by kozman View PostThat's it? This? These are the pandemonium inducing pair of CVEs? Kind of a nothingburger.
"...requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer." Likelihood of a CA to act maliciously to leverage this is effectively zero. they'd be blacklisted globally within a short amount of time. Perhaps if there were a way to spoof a major CA and somehow self-sign without an app noticing. Maybe, not not very likely without Herculean effort. The second method, not sure. Outside my purview. Second vuln has the same requirement for exploitation.
- Likes 3
Comment
-
Originally posted by karolherbst View Post
they didn't. Those where all stupid coding bugs. Two off by one bugs... it's really incredible how that's always causing issues.
Comment
Comment