[HN Gopher] OpenSSL high-severity bug - affects 1.1.1d, 1.1.1e, ...
___________________________________________________________________
OpenSSL high-severity bug - affects 1.1.1d, 1.1.1e, 1.1.1f
Author : AngeloR
Score : 118 points
Date : 2020-04-21 14:28 UTC (8 hours ago)
(HTM) web link (www.openssl.org)
(TXT) w3m dump (www.openssl.org)
| nayuki wrote:
| What popular software contain these vulnerable versions of the
| OpenSSL library?
| AngeloR wrote:
| I have no idea what a full list looks like.. but the
| nginx:1.17.10-alpine docker image contains the following:
| / # nginx -V nginx
| version: nginx/1.17.10 built by gcc 9.2.0 (Alpine
| 9.2.0) built with OpenSSL 1.1.1d 10 Sep 2019
| ajp wrote:
| Mine has a "running with..." part after that.
| built with OpenSSL 1.1.1d 10 Sep 2019 (running with OpenSSL
| 1.1.1g 21 Apr 2020)
| pmorici wrote:
| Any embedded system that uses a recent version of buildroot and
| includes openssl. Starting with at least version 2019.02.9
| erichdongubler wrote:
| This is a good question. Also important to remember is that for
| many Linux distributions dynamically linked OpenSSL artifacts
| are what end up getting used by the vast majority of binaries.
| jolmg wrote:
| Yeah, I was thinking by all of the binaries. I had forgotten
| that there's software that bundle it independently of the
| distro's library. Another comment mentioned docker images,
| and I've remembered that ruby also bundles it for its own
| use.
| 9wzYQbTYsAIc wrote:
| > This issue was found by Bernd Edlinger and reported to OpenSSL
| on 7th April 2020. It was found using the new static analysis
| pass being implemented in GCC, -fanalyzer.
|
| 2 week turnaround time, not bad I guess, for something found by a
| static analyzer.
| snvzz wrote:
| Sure, let's continue to reward incompetence by further funding
| openssl.
|
| In a sane world, everybody would have switched to libressl ages
| ago.
| vladsanchez wrote:
| I gather that LibreSSL has an (unintended) OpenSSL dependency?
|
| "LibreSSL is composed of four parts:
|
| - The openssl(1) utility, which provides tools for managing
| keys, certificates, etc. - libcrypto: a library of cryptography
| fundamentals - libssl: a TLS library, backwards-compatible with
| OpenSSL - libtls: a new TLS library, designed to make it easier
| to write foolproof application"
|
| :shrug:
| notaplumber wrote:
| No, LibreSSL is a fork of OpenSSL that predates this
| vulnerability, it even predates the OpenSSL 1.1.x API break
| (some compatibility has since been added), and has an
| entirely separate and new TLS 1.3 implementation.
|
| https://www.openbsd.org/papers/bsdcan2019-tls13.pdf (video:
| https://www.youtube.com/watch?v=MCVIBwGOwNY)
|
| It maintains source compatibility with OpenSSL at an API and
| command-line level (e.g. openssl(1) utility).
|
| LibreSSL cannot copy code from later versions of OpenSSL as
| they relicensed it under the Apache 2.0 license.
| nayuki wrote:
| OpenSSL vulnerabilities: The gift that keeps on giving.
| takeda wrote:
| I suppose so, but this bug only allows to crash the
| application. No doubt OpenSSL is buggy, but its problem is that
| a lot of applications depend on it as well.
|
| I'm hoping it will eventually reach status of bind or sendmail,
| they had also very bad track record, but vulnerabilities now
| are quite rare.
| stuff4ben wrote:
| This would primarily affect web servers exposing SSH access to
| the public right? I suppose it also affects internally accessible
| servers as well but to a lesser degree in terms of priority.
| detaro wrote:
| SSH != SSL. EDIT: Expect web servers running HTTPS in modern
| configurations to be affected, and other TLS based protocols.
| SSH is fine.
| chupa-chups wrote:
| Both SSH and SSL base on TLS. The leak in question has a
| problem
|
| > during or after a TLS 1.3 handshake
|
| Sure, openSSL is not SSH, but it is not unreasonable to
| assume this leak may affect web servers as well (e.g. by
| being based on the same underlying TLS implementation).
|
| "SSH != SSL" is a bit short to invalidate the assumption of
| the OP. I'd not be so sure this problem does not affect "web
| server X".
|
| https://en.wikipedia.org/wiki/Transport_Layer_Security
|
| OK, learnt something new today:
| https://crypto.stackexchange.com/questions/60255/why-
| doesnt-...
|
| https://xkcd.com/1053/
|
| Thanks! :)
| hannob wrote:
| > Both SSH and SSL base on TLS
|
| No.
| [deleted]
| detaro wrote:
| The parent is asking if primarily servers exposing " _SSH_
| " are affected. I should be less glib though, fair enough.
| will edit.
| notaplumber wrote:
| > Both SSH and SSL base on TLS.
|
| You are very mistaken. OpenSSH only uses OpenSSL (or
| LibreSSL) as an optional dependency for the libcrypto
| primitives (RSA/AES etc). NOT for libssl.
|
| The SSH protocol has nothing to do with either SSL or TLS.
| agumonkey wrote:
| Now I know why arch pushed a new version this afternoon.
| vladsanchez wrote:
| OpenSSL is the culprit of a MacPort installation issue (vde2) for
| which there is no maintainer. It exposes operational
| vulnerability to unmaintained open source software.
| saagarjha wrote:
| This looks like it should be vde2's problem, not OpenSSL's:
| https://lists.macports.org/pipermail/macports-users/2019-Oct...
| geofft wrote:
| Just to make sure I understand - you're saying that because
| OpenSSL is under active maintenance and vde2 is not, OpenSSL is
| in the wrong?
|
| If you want to use unmaintained software, you know OpenSSL 1.0
| still exists in this world, right?
| Avamander wrote:
| Lets be fair, unmaintained proprietary software has the same
| vulnerability.
| judge2020 wrote:
| At least it's just DOS and not anything like heartbleed.
| pronoiac wrote:
| Checking out packages.ubuntu.com, it looks like the only version
| impacted is "focal;" the other versions are too old.
| lvs wrote:
| Is there a reason why something as important as openssl is not
| being backported to keep up with the most recent versions?
| richardwhiuk wrote:
| Compatibility with other libraries and testing effort. You
| end up back porting everything.
|
| Ubuntu backports the fixes them instead (i.e. Ubuntu's 1.0.2
| will be patch with CVE fixes going forward instead of
| backporting 1.1 wholesale).
___________________________________________________________________
(page generated 2020-04-21 23:00 UTC)