[HN Gopher] OpenSSL high-severity bug - affects 1.1.1d, 1.1.1e, ... ___________________________________________________________________ OpenSSL high-severity bug - affects 1.1.1d, 1.1.1e, 1.1.1f Author : AngeloR Score : 118 points Date : 2020-04-21 14:28 UTC (8 hours ago) (HTM) web link (www.openssl.org) (TXT) w3m dump (www.openssl.org) | nayuki wrote: | What popular software contain these vulnerable versions of the | OpenSSL library? | AngeloR wrote: | I have no idea what a full list looks like.. but the | nginx:1.17.10-alpine docker image contains the following: | / # nginx -V nginx | version: nginx/1.17.10 built by gcc 9.2.0 (Alpine | 9.2.0) built with OpenSSL 1.1.1d 10 Sep 2019 | ajp wrote: | Mine has a "running with..." part after that. | built with OpenSSL 1.1.1d 10 Sep 2019 (running with OpenSSL | 1.1.1g 21 Apr 2020) | pmorici wrote: | Any embedded system that uses a recent version of buildroot and | includes openssl. Starting with at least version 2019.02.9 | erichdongubler wrote: | This is a good question. Also important to remember is that for | many Linux distributions dynamically linked OpenSSL artifacts | are what end up getting used by the vast majority of binaries. | jolmg wrote: | Yeah, I was thinking by all of the binaries. I had forgotten | that there's software that bundle it independently of the | distro's library. Another comment mentioned docker images, | and I've remembered that ruby also bundles it for its own | use. | 9wzYQbTYsAIc wrote: | > This issue was found by Bernd Edlinger and reported to OpenSSL | on 7th April 2020. It was found using the new static analysis | pass being implemented in GCC, -fanalyzer. | | 2 week turnaround time, not bad I guess, for something found by a | static analyzer. | snvzz wrote: | Sure, let's continue to reward incompetence by further funding | openssl. | | In a sane world, everybody would have switched to libressl ages | ago. | vladsanchez wrote: | I gather that LibreSSL has an (unintended) OpenSSL dependency? | | "LibreSSL is composed of four parts: | | - The openssl(1) utility, which provides tools for managing | keys, certificates, etc. - libcrypto: a library of cryptography | fundamentals - libssl: a TLS library, backwards-compatible with | OpenSSL - libtls: a new TLS library, designed to make it easier | to write foolproof application" | | :shrug: | notaplumber wrote: | No, LibreSSL is a fork of OpenSSL that predates this | vulnerability, it even predates the OpenSSL 1.1.x API break | (some compatibility has since been added), and has an | entirely separate and new TLS 1.3 implementation. | | https://www.openbsd.org/papers/bsdcan2019-tls13.pdf (video: | https://www.youtube.com/watch?v=MCVIBwGOwNY) | | It maintains source compatibility with OpenSSL at an API and | command-line level (e.g. openssl(1) utility). | | LibreSSL cannot copy code from later versions of OpenSSL as | they relicensed it under the Apache 2.0 license. | nayuki wrote: | OpenSSL vulnerabilities: The gift that keeps on giving. | takeda wrote: | I suppose so, but this bug only allows to crash the | application. No doubt OpenSSL is buggy, but its problem is that | a lot of applications depend on it as well. | | I'm hoping it will eventually reach status of bind or sendmail, | they had also very bad track record, but vulnerabilities now | are quite rare. | stuff4ben wrote: | This would primarily affect web servers exposing SSH access to | the public right? I suppose it also affects internally accessible | servers as well but to a lesser degree in terms of priority. | detaro wrote: | SSH != SSL. EDIT: Expect web servers running HTTPS in modern | configurations to be affected, and other TLS based protocols. | SSH is fine. | chupa-chups wrote: | Both SSH and SSL base on TLS. The leak in question has a | problem | | > during or after a TLS 1.3 handshake | | Sure, openSSL is not SSH, but it is not unreasonable to | assume this leak may affect web servers as well (e.g. by | being based on the same underlying TLS implementation). | | "SSH != SSL" is a bit short to invalidate the assumption of | the OP. I'd not be so sure this problem does not affect "web | server X". | | https://en.wikipedia.org/wiki/Transport_Layer_Security | | OK, learnt something new today: | https://crypto.stackexchange.com/questions/60255/why- | doesnt-... | | https://xkcd.com/1053/ | | Thanks! :) | hannob wrote: | > Both SSH and SSL base on TLS | | No. | [deleted] | detaro wrote: | The parent is asking if primarily servers exposing " _SSH_ | " are affected. I should be less glib though, fair enough. | will edit. | notaplumber wrote: | > Both SSH and SSL base on TLS. | | You are very mistaken. OpenSSH only uses OpenSSL (or | LibreSSL) as an optional dependency for the libcrypto | primitives (RSA/AES etc). NOT for libssl. | | The SSH protocol has nothing to do with either SSL or TLS. | agumonkey wrote: | Now I know why arch pushed a new version this afternoon. | vladsanchez wrote: | OpenSSL is the culprit of a MacPort installation issue (vde2) for | which there is no maintainer. It exposes operational | vulnerability to unmaintained open source software. | saagarjha wrote: | This looks like it should be vde2's problem, not OpenSSL's: | https://lists.macports.org/pipermail/macports-users/2019-Oct... | geofft wrote: | Just to make sure I understand - you're saying that because | OpenSSL is under active maintenance and vde2 is not, OpenSSL is | in the wrong? | | If you want to use unmaintained software, you know OpenSSL 1.0 | still exists in this world, right? | Avamander wrote: | Lets be fair, unmaintained proprietary software has the same | vulnerability. | judge2020 wrote: | At least it's just DOS and not anything like heartbleed. | pronoiac wrote: | Checking out packages.ubuntu.com, it looks like the only version | impacted is "focal;" the other versions are too old. | lvs wrote: | Is there a reason why something as important as openssl is not | being backported to keep up with the most recent versions? | richardwhiuk wrote: | Compatibility with other libraries and testing effort. You | end up back porting everything. | | Ubuntu backports the fixes them instead (i.e. Ubuntu's 1.0.2 | will be patch with CVE fixes going forward instead of | backporting 1.1 wholesale). ___________________________________________________________________ (page generated 2020-04-21 23:00 UTC)