Another OpenSSL bug or two?
-
http://arstechnica.com/security/2015/03/openssl-warns-of-two-high-severity-bugs-but-no-heartbleed/
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur
Someone should tell those programmers to NEVER trust what's being sent by the client.
-
Another day, another (OpenSSL) bug… sigh.
When do we say, "all software has bugs" and when do we say "those programmers are worthless"?
-
Sounds like mostly minor stuff really, as I saw elsewhere as the evaluation of this release: "I put on my brown pants for this?"
Their release info: https://www.openssl.org/news/secadv_20150319.txt
We are going to see a lot of bugs found and fixed as the program gets a lot of outside attention:
http://www.linuxfoundation.org/programs/core-infrastructure-initiative
-
Minor from a security sense, but dead simple DOS attack. Just send an unknown crypto signing algorithm and crash the web server. A few packets every few seconds to keep a server down.
Programmers: Why would anyone send an unknown signing type? That'd crash, doesn't sound desirable to ANYONE. Herpa-Derp
-
I don't think its that big a deal but these guys need something to write about I guess.
