
OpenSSL Security Advisory - hannob
https://mta.openssl.org/pipermail/openssl-announce/2017-January/000094.html
======
josteink
> OpenSSL 1.0.2k users should upgrade to 1.0.2k

Well that's certainly helpful advice :)

------
imglorp
Another OOB? At this point, hasn't anyone run a static analyzer on the darn
thing and fixed all the warnings?

11/16 - NPR - [https://mta.openssl.org/pipermail/openssl-
announce/2016-Nove...](https://mta.openssl.org/pipermail/openssl-
announce/2016-November/000087.html)

9/16 - dangling pointer - [https://mta.openssl.org/pipermail/openssl-
announce/2016-Sept...](https://mta.openssl.org/pipermail/openssl-
announce/2016-September/000083.html)

5/16 - buffer underflow - [https://mta.openssl.org/pipermail/openssl-
announce/2016-May/...](https://mta.openssl.org/pipermail/openssl-
announce/2016-May/000072.html)

3/16 - NPE, double free, etc - [https://mta.openssl.org/pipermail/openssl-
announce/2016-Marc...](https://mta.openssl.org/pipermail/openssl-
announce/2016-March/000066.html)

... I'm tired looking...

~~~
MichaelGG
If static analyzers could find all problems in C with a low false positive
rate, then that'd eliminate one of the big problems with C and partially
negate the need for Rust.

~~~
technion
I've run several respected static analyzers against several well respected
projects and I'm lucky if I get more than 2-3 false positives.

In the Argon2 reference library, the one alert from Infer was a genuine bug I
sent a PR for, followed by one alert from tis-interpreter that was another
genuine bug. clang-analyser produces clean output.

It's true that you get so many false positives under OpenSSL it's not feasible
to review. I would contend this is an indicator of code quality more than an
indicator of poor static analysers.

------
guidovranken
I've written this article on CVE-2017-3730:
[https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-...](https://guidovranken.wordpress.com/2017/01/26/cve-2017-3730-openssl-1-1-0-remote-
client-denial-of-service-affects-servers-as-well-poc/)

It includes proofs of concept and touches upon the fact that client
vulnerabilities can affect some servers just as well, because servers
sometimes initiate connections to other servers. Mail servers do this, as well
as certain web applications.

------
willvarfar
For those looking around for near-drop-in replacement:

[https://www.libressl.org/](https://www.libressl.org/)

------
PuffinBlue
Interesting to see the note about version 1.0.1 there. Isn't that the latest
available in Ubuntu 14.04?

    
    
        Note
        ====
    
        Support for version 1.0.1 ended on 31st December 2016. Support for versions
        0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.
    

I'm not intamately familiar how Ubuntu handles LTS releases, but I'd assume
they don't backport security releases for such old third party packages? Or do
they?

EDIT: I can answer my own question, they do backport security updates, even
for unsupported software that they still ship

[http://askubuntu.com/questions/863477/will-
ubuntu-14-04-rele...](http://askubuntu.com/questions/863477/will-
ubuntu-14-04-release-security-updates-for-openssl-1-0-1-even-after-31st-dec)

[https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/15966...](https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1596693)

------
rrdharan
The most serious ones seem to be 32-bit only, which may provide you some
relief / buy you some time if all your servers are 64-bit (though you should
probably still upgrade).

------
busterarm
I have OpenSSL update fatigue.

~~~
bluejekyll
Sadly this may be a feature of all cryptographic software.

Isolate your exposed services, give them push button deploys to get current
versions out to each node as quickly as possible.

~~~
jdc0589
> Isolate your exposed services

Most important part. vulnerabilities need to get patched, period. But I'm a
lot less stressed about it when I know my publicly exposed surface is small,
and even that has layers in front of it.

------
esseti
what's the last version on jessy (debian) ? checking on my machiens says
1.0.1t . in one of the comment it seesm that 1.0.1 is not updated anymore.
checking the apt-cache policy openssl shows installed and candidates as
1.0.1t-1+deb8u5.

What should I do?

~~~
jxcl
This is a very useful site for Debian security issues:

[https://security-tracker.debian.org/tracker/source-
package/o...](https://security-tracker.debian.org/tracker/source-
package/openssl)

~~~
esseti
so only unstable is secure.. what's the general approach then? Should I use
sid? (this is controinutitive)

