back to article Awoogah: Get ready to patch 'severe' bug in OpenSSL this Thursday

Sysadmins and anyone else with systems running OpenSSL code: a new version of the open-source crypto library will be released this week to "fix a single security defect classified as 'high' severity." The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0 …

  1. theOtherJT Silver badge

    Somewhere between terror and joy

    It's wonderful to watch these patches rolling in now. Ever since heartbleed the patch train seems to have been unstoppable. People are finally looking at OpenSSL with a properly critical eye and fixing it.

    On the other hand... we've all been using this thing in this state for YEARS. I clench up a bit every time a patch is announced in case it's another scary one.

    1. Alan Brown Silver badge

      Re: Somewhere between terror and joy

      "People are finally looking at OpenSSL with a properly critical eye and fixing it."

      Which makes the point about "legacy code being stable and secure" being complete and utter bollocks. Every time someone trots it out to justify carrying on with crappy old code I ask them to show the complete security vetting that it's had (generally, it hasn't) vs the reports for more recent substitutes.

      Bear in mind that in almost all of the recent cases involving legacy code, serious security holes have dropped out of the scanners within minutes of someone asking "I wonder if this has ever been checked?"

    2. Michael Wojcik Silver badge

      Re: Somewhere between terror and joy

      Many of the OpenSSL security fixes this year have been protocol, not implementation, fixes. The recent Logjam / WeakDH fixes, for example, apply to all SSL/TLS implementations, because they're errors in the protocol.

      This latest fix corrects an error that was introduced a couple of months ago, by the way. So ... not so much "finally fixing" as "still fixing".

  2. Nolveys
    Facepalm

    LibreSSL?

    I'll be very interested to see if this problem effects LibreSSL as well as OpenSSL.

    I'll have to be sure to have this queued up for Thursday: https://www.youtube.com/watch?v=gqg3l3r_DRI

    1. Charlie Clark Silver badge

      Re: LibreSSL?

      Indeed. Cross-referencing CVEs in the change logs makes interesting reading: LibreSSL has so far managed to avoid some, but not all, bugs by pre-emptively removing OpenSSL code.

    2. Michael Wojcik Silver badge

      Re: LibreSSL?

      Probably not, since it's in a new feature (only introduced in 1.0.1n and equivalent releases of other OpenSSL API versions).

  3. Gis Bun

    Yes. Another severe non-Windows security issue. As if we didn't have enough of these SSL issues this past year or so.

    1. Doctor Syntax Silver badge

      Maybe you should check the Windows code for yourself, just in case. Can you see a problem with that?

      1. Anonymous Coward
        Anonymous Coward

        It doesn't look the availability of source code helped OpenSSL much, very few eyes could read and fully understand that code, and spot bugs.

        And there are people outside Microsoft who can actually access Windows source code. Just, it's not for everybody and you're under an NDA.

        1. Lee D Silver badge

          And if you're under an NDA.... can you actually report a security problem publicly?

        2. Charlie Clark Silver badge
          Thumb Down

          It doesn't look the availability of source code helped OpenSSL much, very few eyes could read and fully understand that code, and spot bugs.

          And your point is? Peer review is the great potential advantage of open source. While OpenSSL's codebase has correctly been roundly criticised in a number of places, it also has to be noted that it has been notoriously underfunded for years. OTOH Microsoft can hardly blame lack of cash for all the bugs that keep cropping up in its software.

          There is now more cash for development and review, as evinced by this announcement, though whether it is ever going to be possible to properly clean up the codebase is a matter of some debate.

        3. Michael Wojcik Silver badge

          very few eyes could read and fully understand that code, and spot bugs

          Complete bullshit. Any competent C programmer can understand the OpenSSL source, and there's probably a few hundred competent C programmers.

          Many incompetent C programmers are also capable of reading and understanding the OpenSSL source - at least the vast majority of it - and there's no shortage of them.

          The OpenSSL source is not pretty. It contains many infelicitous choices in design and style. A lot of it has become stovepiped due to excessive enhancement with insufficient refactoring, and sometimes due to over-eager refactoring with gleeful use of the preprocessor. But it's hardly ineffable.

    2. Anonymous Coward
      Anonymous Coward

      Non-Windows you say? Are you implying that this doesn't affect the Win32 port of OpenSSL?

  4. channel extended
    Unhappy

    Older version safe?

    If this doesn't affect the older versions does that mean the heartbleed patch has a hole?

    1. Crazy Operations Guy

      Re: Older version safe?

      I'm assuming that it was one of those fixes that plug one hole, but accidentally opened another like a function that goes through a loop where the result s an off-by-one error in some uses, but is needed in others.

    2. Anonymous Coward
      Anonymous Coward

      Re: Older version safe?

      It doesn't fill one with confidence that the newer versions of OpenSSL seem to be the least secure. Better to stick with the 0.9.8 series and patch any flaws found there than try to stay on the latest 1.0.x.

      1. Anonymous Coward
        Anonymous Coward

        Re: Older version safe?

        Most likely it's another hole in a new feature, like Heartbleed; that was DTLS.

      2. Charlie Clark Silver badge

        Re: Older version safe?

        Better to stick with the 0.9.8 series and patch any flaws found…

        You seriously want to manually patch OpenSSL code? You're a braver man than me, Gungadin. The difficulty of doing this is one of the main drivers behind the LibreSSL project.

        1. Michael Wojcik Silver badge

          Re: Older version safe?

          You seriously want to manually patch OpenSSL code?

          Lots of people do backport specific patches into older releases. For the vast majority of security fixes it's not particularly difficult; they tend to be small and well-isolated. Fixing Heartbleed was trivial, for example, once someone noticed it.

          Personally I don't recommend that approach, because then you're maintaining a fork, and you have to do extra testing to ensure you're not introducing new issues with your ported fixes. But actually patching the code? Easy for a competent C programmer, or even most ordinary C programmers.

          And 0.9.8 is still under maintenance. by the way.

      3. Michael Wojcik Silver badge

        Re: Older version safe?

        Better to stick with the 0.9.8 series and patch any flaws found there than try to stay on the latest 1.0.x.

        Problematic new features have mostly been the ones that are also backported into 0.9.8. If you're going to make this argument - which, frankly, I think is mind-bogglingly ignorant and foolish - you need to support it by citing actual changes in the various OpenSSL streams (0.9.8, 1.0.1, and 1.0.2) and showing that there are security advantages to 0.9.8.

    3. Michael Wojcik Silver badge

      Re: Older version safe?

      If this doesn't affect the older versions does that mean the heartbleed patch has a hole?

      No. It has absolutely nothing to do with Heartbleed. The Heartbleed fixes were a year ago. There have been several OpenSSL releases since.

  5. This post has been deleted by its author

  6. -tim

    It looks like if you built something aginst the 1.0.1o or 1.0.1n and used the other shared library, someone might be able to do very bad things to your server. Until patch thur comes around, it might be wise to check that the version that is being linked aginst is the version that the programs were built aginst.

  7. uridium
    FAIL

    Call it: "Vasa" after the unstable/insecure ship of the same name.

    Many images exist already.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like