Another OpenSSL bug or two?
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur
Someone should tell those programmers to NEVER trust what's being sent by the client.
Another day, another (OpenSSL) bug… sigh.
When do we say, "all software has bugs" and when do we say "those programmers are worthless"?
stan-qaz last edited by
Sounds like mostly minor stuff really, as I saw elsewhere as the evaluation of this release: "I put on my brown pants for this?"
Their release info: https://www.openssl.org/news/secadv_20150319.txt
We are going to see a lot of bugs found and fixed as the program gets a lot of outside attention:
Minor from a security sense, but dead simple DOS attack. Just send an unknown crypto signing algorithm and crash the web server. A few packets every few seconds to keep a server down.
Programmers: Why would anyone send an unknown signing type? That'd crash, doesn't sound desirable to ANYONE. Herpa-Derp
I don't think its that big a deal but these guys need something to write about I guess.