Upcoming OpenSSL severe bug fix
-
When will the software industry get serious about security and code review-testing?
If security was easy & cheap, everyone would be doing it right.
-
Reminds me of the universal solution matrix for problem solving:
- Good
- Inexpensive
- Fast
- Pick any two
-
The funny thing is tech debt makes inexpensive and fast more expensive in the long run for any core infrastructure.
-
I have yet to meet a manager that has 1) a grasp of technology and, 2) an appreciation of the difference between hard and soft costs: "Get the cheaper thing even though it will cost us many more hours over the course of each year. The $50 one-time savings is definitely worth it."
-
Seems we got some more info on it
http://arstechnica.com/security/2015/07/critical-openssl-bug-allows-attackers-to-impersonate-any-trusted-website/
-
Despite wanting my name to succeed, someone has dubbed this OprahSSL and I'm inclined to agree.
-
FreeBSD has fixes in,
new snapshots of 2.2.4 will be out soon that have the problem corrected.https://www.freebsd.org/security/advisories/FreeBSD-SA-15:12.openssl.asc
Actually upon closer examination, we aren't affected. The version in pfSense 2.2.x is before the affected feature was added. The fix in FreeBSD is only for 10-STABLE after a specific date.
So no worries, folks. Just sit back and laugh at everyone else.
-
Just sit back and laugh at everyone else.
Everyone else? From what I have read, hardly anybody was using the June library anyway so its effect is expected to be very limited.
-
@KOM:
Just sit back and laugh at everyone else.
Everyone else? From what I have read, hardly anybody was using the June library anyway so its effect is expected to be very limited.
Ssshhhh… don't kill the mood. It's a rare day we get to practically ignore an OpenSSL SA. :-)
-
Ssshhhh… don't kill the mood. It's a rare day we get to practically ignore an OpenSSL SA. :-)
:)
