Sign in / up

back to article OpenSSL updated to kill code-execution bug

The OpenSSL server has been updated to fix a security bug that could be remotely exploited to potentially install malware on vulnerable systems. The race condition flaw in the OpenSSL TLS server extension code could be exploited in a buffer overrun attack, maintainers of the open-source SSL and TLS application warned on …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. Anonymous Coward
    Dead Vulture

    "Server"?

    OpenSSL is a library, not a server itself, although a lot of servers do use the library!

    0 0
    1. Russell Howe
      Reply Icon
      Go

      s_server

      Actually, the openssl(1) commandline tool does have an SSL server built in to it, but yeah, I get your point :)

      0 0
  2. duncan campbell
    Pint

    Seems to me

    there was some reticence in the OpenBSD project to the

    implementation of process threads for just such reasons....

    Fubar

    0 0
  3. mark cox

    Sky not falling yet.

    We think it's unlikely to be usefully exploitable:

    https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2010-3864#c7

    0 0
    1. Tom 13
      Reply Icon

      I don't buy that FUD from MS, not buying it here either.

      What I do accept is that Open Source is more likely to get it fixed faster than MS. Which they seem to have done once again.

      0 0
      1. Ross 7
        Reply Icon

        Re: FUD

        He ain;t saying it can't be exploited, just that it's very unlikely. I'm inclined to agree looking at the src he posted. Remote race conditions are tough to exploit, as you don't know (and can't know) details re: CPU/FS usage, and network latency will play merry hell with your exploit. This one is a *very* small window of opportunity.

        Still, good to see it got fixed promptly.

        0 0
This topic is closed for new posts.