Announcement
Collapse
No announcement yet.
OpenSSL Outlines Two High Severity Vulnerabilities
Collapse
X
-
Okay, who was the person who said that the biggest mistake in OpenSSL might have been the decision to use X.509 formatted certs? Step up and collect your prize.
- Likes 2
-
Originally posted by kozman View Post
Because if they didn't ye ol' stock price and reputation would take a hit to the nads.
Security Matters.
- Likes 2
Leave a comment:
-
Originally posted by birdie View PostToo much ado about very little if anything.
1) This only affects systems which verify remote X.509 TLS certificates.
2) This needs a special stack layout and doesn't affect Linux systems.
Not that many Web servers on the Internet even do it. Fedora 37 was delayed for this. I'm pretty sure some people in Fedora/RedHat knew everything yet they've still delayed the next release. An update for Fedora 35/36 has been pushed to testing, not even stable updates.
TLDR: This is "critical" for non-Linux OSes and only systems which deal with user-supplied X.509 certificates. Move on.
- Likes 5
Leave a comment:
-
That's it? This? These are the pandemonium inducing pair of CVEs? Kind of a nothingburger.
"...requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer." Likelihood of a CA to act maliciously to leverage this is effectively zero. they'd be blacklisted globally within a short amount of time. Perhaps if there were a way to spoof a major CA and somehow self-sign without an app noticing. Maybe, not not very likely without Herculean effort. The second method, not sure. Outside my purview. Second vuln has the same requirement for exploitation.
- Likes 3
Leave a comment:
-
Too much ado about very little if anything.
1) This only affects systems which verify remote X.509 TLS certificates.
2) This needs a special stack layout and doesn't affect Linux systems.
Not that many Web servers on the Internet even do it. Fedora 37 was delayed for this. I'm pretty sure some people in Fedora/RedHat knew everything yet they've still delayed the next release. An update for Fedora 35/36 has been pushed to testing, not even stable updates.
TLDR: This is "critical" for non-Linux OSes and only systems which deal with user-supplied X.509 certificates. Move on.Last edited by birdie; 01 November 2022, 01:18 PM.
- Likes 11
Leave a comment:
-
Too bad. I expected it to erupt like mount Vesuvius and destroy the Internet... Not even yum update for today.
- Likes 6
Leave a comment:
-
Not that scary. Too bad Fedora decided to slip the release date, but it's understandable.
- Likes 3
Leave a comment:
-
OpenSSL Outlines Two High Severity Vulnerabilities
Phoronix: OpenSSL Outlines Two High Severity Vulnerabilities
Two high severity security vulnerabilities affecting OpenSSL were made public today, which were the issues that led to Fedora 37 being delayed to mid-November to allow the release images have mitigated OpenSSL packages...
Tags: None
- Likes 1
Leave a comment: