WingNews logo WingNews
top | item 22935221

OpenSSL high-severity bug – affects 1.1.1d, 1.1.1e, 1.1.1f

189 points| AngeloR | 5 years ago |openssl.org

45 comments

order

9wzYQbTYsAIc|5 years ago

> This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April 2020. It was found using the new static analysis pass being implemented in GCC, -fanalyzer.

2 week turnaround time, not bad I guess, for something found by a static analyzer.

judge2020|5 years ago

At least it's just DOS and not anything like heartbleed.

nayuki|5 years ago

What popular software contain these vulnerable versions of the OpenSSL library?

erichdongubler|5 years ago

This is a good question. Also important to remember is that for many Linux distributions dynamically linked OpenSSL artifacts are what end up getting used by the vast majority of binaries.

AngeloR|5 years ago

I have no idea what a full list looks like.. but the nginx:1.17.10-alpine docker image contains the following:

    / # nginx -V                              
    nginx version: nginx/1.17.10
    built by gcc 9.2.0 (Alpine 9.2.0)
    built with OpenSSL 1.1.1d  10 Sep 2019

pmorici|5 years ago

Any embedded system that uses a recent version of buildroot and includes openssl. Starting with at least version 2019.02.9

pronoiac|5 years ago

Checking out packages.ubuntu.com, it looks like the only version impacted is "focal;" the other versions are too old.

lvs|5 years ago

Is there a reason why something as important as openssl is not being backported to keep up with the most recent versions?

agumonkey|5 years ago

Now I know why arch pushed a new version this afternoon.

codewiz|5 years ago

Is BoringSSL affected?

usr1106|5 years ago

So how widely TLS 1.3 is

a) used

b) enabled in either client or server?

nayuki|5 years ago

OpenSSL vulnerabilities: The gift that keeps on giving.

takeda|5 years ago

I suppose so, but this bug only allows to crash the application. No doubt OpenSSL is buggy, but its problem is that a lot of applications depend on it as well.

I'm hoping it will eventually reach status of bind or sendmail, they had also very bad track record, but vulnerabilities now are quite rare.

stuff4ben|5 years ago

This would primarily affect web servers exposing SSH access to the public right? I suppose it also affects internally accessible servers as well but to a lesser degree in terms of priority.

detaro|5 years ago

SSH != SSL. EDIT: Expect web servers running HTTPS in modern configurations to be affected, and other TLS based protocols. SSH is fine.

vladsanchez|5 years ago

OpenSSL is the culprit of a MacPort installation issue (vde2) for which there is no maintainer. It exposes operational vulnerability to unmaintained open source software.

geofft|5 years ago

Just to make sure I understand - you're saying that because OpenSSL is under active maintenance and vde2 is not, OpenSSL is in the wrong?

If you want to use unmaintained software, you know OpenSSL 1.0 still exists in this world, right?

Avamander|5 years ago

Lets be fair, unmaintained proprietary software has the same vulnerability.

snvzz|5 years ago

Sure, let's continue to reward incompetence by further funding openssl.

In a sane world, everybody would have switched to libressl ages ago.

mlindner|5 years ago

LibreSSL has all of the same problems as OpenSSL. It's just a fork from an earlier point in time before OpenSSL did it's big rewrite that came with OpenSSL 1.1.1.

vladsanchez|5 years ago

I gather that LibreSSL has an (unintended) OpenSSL dependency?

"LibreSSL is composed of four parts:

- The openssl(1) utility, which provides tools for managing keys, certificates, etc. - libcrypto: a library of cryptography fundamentals - libssl: a TLS library, backwards-compatible with OpenSSL - libtls: a new TLS library, designed to make it easier to write foolproof application"

:shrug: