[RndTbl] [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36
Gilbert Detillieux
Gilbert.Detillieux at umanitoba.ca
Wed Feb 22 15:37:47 CST 2023
Thanks for the update on LibreSSL. Last time I looked at it, they were
still in version 1.x, and still only supported on BSD-based systems. I
see they're at version 3.x now.
I wonder how much of this is still the case about support on Linux?...
https://lwn.net/Articles/841664/
There's also an overwhelming level of "this-is-fine"-ism in the
industry, so as long as OpenSSL isn't a complete dumpster fire at the
moment, people aren't willing to invest in alternatives, regardless of
how drop-in-ready they may be (which is apparently still a debatable
point with LibreSSL on Linux, or at least still was 2 years ago, when
the above article was written).
Longer term, maybe a complete re-imagining is what the industry will
need to move forward. Most companies and developers are motivated more
by new features than by correctness or security, sadly.
Gilbert
On 2023-02-22 3:12 p.m., Adam Thompson wrote:
> Bob Beck et al. from the OpenBSD project already "secured" OpenSSL, with
> the result being called LibreSSL. It's drop-in compatible for many
> applications, but does require recompiling. That team did a number of
> presentations on it, and apparently you can still hear the swearing
> echoing late at night when it's quiet...
>
> The OpenSSL team, however, appear to be rather resistant to help.
> Serious NIH syndrome. Also they're more focused on preserving backwards
> compatibility than correctness or security. And also don't respond well
> to criticism, from what I've seen.
>
> All the large orgs you mentioned already have their own
> OpenSSL-replacement projects in-house, some of them public. None of
> those are even remotely drop-in replacements, they're re-imagninings of
> what a secure-connection library should be.
>
> -Adam
> ------------------------------------------------------------------------
> *From:* Roundtable <roundtable-bounces at muug.ca> on behalf of Gilbert
> Detillieux <Gilbert.Detillieux at umanitoba.ca>
> *Sent:* February 22, 2023 2:17 PM
> *To:* Continuation of Round Table discussion <roundtable at muug.ca>
> *Subject:* Re: [RndTbl] Fw: [SECURITY] Fedora 36 Update:
> openssl-3.0.8-1.fc36
> As if we didn't already have enough issues with OpenSSL, what with
> buffer overrun vulnerabilities in new/recent code*, and more direct
> coding flaws (pointer free/dereference and such) that were recently
> announced**.
>
> You'd think with the combined wealth and resources of Alphabet/Google,
> Apple, and Microsoft, they'd find it in their best collective
> self-interest to fund a project to replace this garbage with some, you
> know, actually secure code.
>
> Sigh!
>
> Gilbert
>
> *
> https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/ <https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/>
>
> ** https://www.openssl.org/news/secadv/20230207.txt
> <https://www.openssl.org/news/secadv/20230207.txt>
> https://linuxsecurity.com/features/urgent-openssl-security-advisory
> <https://linuxsecurity.com/features/urgent-openssl-security-advisory>
>
> https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/ <https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/>
>
> https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix <https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix>
> (Many of the above do mention the side-channel attack too.)
>
> On 2023-02-22 1:51 p.m., Trevor Cordes wrote:
>> Oh joy, "password timing" attacks come to SSL.
>>
>> e.g. CVE-2022-4304 Published 2023-02-08T20:15:00
>> A timing based side channel exists in the OpenSSL RSA Decryption
>> implementation which could be sufficient to recover a plaintext across
>> a network in a Bleichenbacher style attack.
>>
>>
>> Begin forwarded message:
>>
>> Date: Wed, 22 Feb 2023 11:09:09 +0000 (GMT)
>> From: updates at fedoraproject.org
>> To: package-announce at lists.fedoraproject.org
>> Subject: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36
>>
>> --------------------------------------------------------------------------------
>> Fedora Update Notification
>> FEDORA-2023-a5564c0a3f
>> 2023-02-22 11:06:32.699863
>> --------------------------------------------------------------------------------
>>
>> Name : openssl
>> Product : Fedora 36
>> Version : 3.0.8
>> Release : 1.fc36
>>
>> * Thu Feb 9 2023 Dmitry Belyavskiy <dbelyavs at redhat.com> - 1:3.0.8-1
>> - Rebase to upstream version 3.0.8
>> Resolves: CVE-2022-4203
>> Resolves: CVE-2022-4304
>> Resolves: CVE-2022-4450
>> Resolves: CVE-2023-0215
>> Resolves: CVE-2023-0216
>> Resolves: CVE-2023-0217
>> Resolves: CVE-2023-0286
>> Resolves: CVE-2023-0401
--
Gilbert Detillieux E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science Web: http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba Phone: 204-474-8161
Winnipeg MB CANADA R3T 2N2
More information about the Roundtable
mailing list