Announcement

Collapse
No announcement yet.

OpenSSL Affected By Four More Security Vulnerabilities

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSSL Affected By Four More Security Vulnerabilities

    Phoronix: OpenSSL Affected By Four More Security Vulnerabilities

    The OpenSSL project made public today four new security advisories. Three of the issues are considered of moderate severity while one is low...

    http://www.phoronix.com/scan.php?pag...nSSL-Four-More

  • #2
    Is LibreSSL affected?

    Comment


    • #3
      Is it already possible to build a gentoo system with libressl instead of openssl?
      ## VGA ##
      AMD: X1950XTX, HD3870, HD5870
      Intel: GMA45, HD3000 (Core i5 2500K)

      Comment


      • #4
        One issue is about BN_mod_exp producing incorrect results on xx86_64, a certificate verify crash with missing PSS parameter, X509_ATTRIBUTE memoryl eak, and the low issue is a race condition handling PSK identify hint.
        Spelling mistakes. Please fix.

        Comment


        • #5
          Originally posted by gamerk2 View Post

          Spelling mistakes. Please fix.
          On a slightly-related note; anyone else dislike how you can't right-click your text on this forum and spell-check? Or maybe there's some fix for this? It seems vBulletin's drop-down menu thing has priority and only allows for pasting text and creating a table...

          Comment


          • #6
            Originally posted by Espionage724 View Post

            On a slightly-related note; anyone else dislike how you can't right-click your text on this forum and spell-check? Or maybe there's some fix for this? It seems vBulletin's drop-down menu thing has priority and only allows for pasting text and creating a table...
            My broser spel-checks by default!




            (Yes, I got red squiggly lines under the above two misspelled words!)

            Comment


            • #7
              Its like the relation of human beings and nature. We are so good at consuming things but bad at giving back to the nature. In this case, lots of companies are interested in openssl but doesn't want to invest time to assess its security. I don't really see point of libreSSL, the devs might be hyper-sensitive about security but progress would be slower.

              Comment


              • #8
                Originally posted by darkbasic View Post
                Is it already possible to build a gentoo system with libressl instead of openssl?

                Yep, I've been running libressl gentoo systems for over 6 months now. Just add libressl overlay and set libressl global useflag. The only notable project that can't be patched easily is the last two major versions of NodeJS, but they also lack support for OpenSSL 0.9.x, but that project also seems to be run by crazy people with 0 interest in stability (pushing two API breaking releases in a month).

                Oh and bitcoin.... their devs don't trust libressl on their spaghetti. Need to patch out the check for it and it works fine.

                Comment


                • #9
                  And there it is.

                  Does LibreSSL have the occasional heart-stopper that's far quieter or can you run Fort Knox on it?

                  Comment


                  • #10
                    Originally posted by tigerroast View Post
                    And there it is.

                    Does LibreSSL have the occasional heart-stopper that's far quieter or can you run Fort Knox on it?

                    Its track record has been significantly better than OpenSSL's in the past year. But the two share much of the same code, so there are often shared issues, usually less on LibreSSL's end. They've introduced one minor security bug of their own but have been affected by far less than OpenSSL has.

                    I would probably trust a more stripped down library like Google's BoringSSL over LibreSSL for critical activity but it comes at the cost of extremely reduced compatibility and support, they built it for their specific needs and they have the resources to continually review it. Also, this is if you trust it wasn't backdoored for government

                    Comment

                    Working...
                    X