Upcoming OpenSSL severe bug fix

jimp

We're aware. Not much info yet (sometimes we get pre-release info from CERT, but nothing for this). Not even speculation about a cutesy nickname.

Until told otherwise, I'll call it … <shakes randomizer="">```
$ shuf -n 2 /usr/share/dict/words
somnolent
infant


It'll do. "somnolent infant" it is.

We'll pick up the fix automatically when FreeBSD puts it in, and we'll be putting out a new 2.2.4 release soon anyhow to pick up other things like fixes for AES-NI and filesystem issues with pw and config.xml writing (plan is for mid-month, but may fluctuate)</shakes>

KOM

With amazing naming skills like that, shouldn't you be working for Ubuntu?

jimp

@KOM:

With amazing naming skills like that, shouldn't you be working for Ubuntu?

Sadly, though my skills may be amazing, the words did not start with the same next sequential matching letters so I would be fired from Ubuntu. :-(

phil.davis

The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0.0 or 0.9.8 series.

That is most disappointing. That means that some code change in 1.0.1 as either added the vulnerability or exposed a previous "hidden" vulnerability. In any case, a security-related bug has been added in a relatively recent set of code! We will see exactly what it is in a few days.
When will the software industry get serious about security and code review-testing?
I can understand that we have been fixing buffer-overrun and similar vulnerabilities that were in systems that were engineered decades ago when security was not a focus. But in the last 5-10 years everybody has known that security is a must.
end-of-rant

KOM

When will the software industry get serious about security and code review-testing?

If security was easy & cheap, everyone would be doing it right.

divsys

Reminds me of the universal solution matrix for problem solving:

Good
Inexpensive
Fast

- Pick any two

Harvy66

The funny thing is tech debt makes inexpensive and fast more expensive in the long run for any core infrastructure.

KOM

I have yet to meet a manager that has 1) a grasp of technology and, 2) an appreciation of the difference between hard and soft costs: "Get the cheaper thing even though it will cost us many more hours over the course of each year. The $50 one-time savings is definitely worth it."

Harvy66

Seems we got some more info on it

http://arstechnica.com/security/2015/07/critical-openssl-bug-allows-attackers-to-impersonate-any-trusted-website/

jimp

Despite wanting my name to succeed, someone has dubbed this OprahSSL and I'm inclined to agree.

jimp

FreeBSD has fixes in, ~~new snapshots of 2.2.4 will be out soon that have the problem corrected.~~

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:12.openssl.asc

Actually upon closer examination, we aren't affected. The version in pfSense 2.2.x is before the affected feature was added. The fix in FreeBSD is only for 10-STABLE after a specific date.

So no worries, folks. Just sit back and laugh at everyone else.

KOM

Just sit back and laugh at everyone else.

Everyone else? From what I have read, hardly anybody was using the June library anyway so its effect is expected to be very limited.

jimp

@KOM:

Just sit back and laugh at everyone else.

Everyone else? From what I have read, hardly anybody was using the June library anyway so its effect is expected to be very limited.

Ssshhhh… don't kill the mood. It's a rare day we get to practically ignore an OpenSSL SA. :-)

dennypage

@jimp:

Ssshhhh… don't kill the mood. It's a rare day we get to practically ignore an OpenSSL SA. :-)

:)