OpenSSL high-severity bug – affects 1.1.1d, 1.1.1e, 1.1.1f

by AngeloRon 4/21/2020, 2:28:04 PM with 11 comments
  • by 9wzYQbTYsAIcon 4/21/2020, 4:41:01 PM

    > This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April 2020. It was found using the new static analysis pass being implemented in GCC, -fanalyzer.

    2 week turnaround time, not bad I guess, for something found by a static analyzer.

  • by judge2020on 4/21/2020, 5:55:24 PM

    At least it's just DOS and not anything like heartbleed.

  • by nayukion 4/21/2020, 5:28:44 PM

    What popular software contain these vulnerable versions of the OpenSSL library?

  • by pronoiacon 4/21/2020, 6:24:08 PM

    Checking out packages.ubuntu.com, it looks like the only version impacted is "focal;" the other versions are too old.

  • by agumonkeyon 4/21/2020, 11:00:21 PM

    Now I know why arch pushed a new version this afternoon.

  • by codewizon 4/22/2020, 1:39:02 AM

    Is BoringSSL affected?

  • by usr1106on 4/22/2020, 9:22:57 AM

    So how widely TLS 1.3 is

    a) used

    b) enabled in either client or server?

  • by nayukion 4/21/2020, 6:59:18 PM

    OpenSSL vulnerabilities: The gift that keeps on giving.

  • by stuff4benon 4/21/2020, 6:13:49 PM

    This would primarily affect web servers exposing SSH access to the public right? I suppose it also affects internally accessible servers as well but to a lesser degree in terms of priority.

  • by vladsanchezon 4/21/2020, 7:02:35 PM

    OpenSSL is the culprit of a MacPort installation issue (vde2) for which there is no maintainer. It exposes operational vulnerability to unmaintained open source software.

  • by snvzzon 4/21/2020, 6:56:20 PM

    Sure, let's continue to reward incompetence by further funding openssl.

    In a sane world, everybody would have switched to libressl ages ago.