Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Another OpenSSL bug or two?

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    5 Posts 4 Posters 1.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Harvy66
      last edited by

      http://arstechnica.com/security/2015/03/openssl-warns-of-two-high-severity-bugs-but-no-heartbleed/

      If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur

      Someone should tell those programmers to NEVER trust what's being sent by the client.

      1 Reply Last reply Reply Quote 0
      • N
        Nullity
        last edited by

        Another day, another (OpenSSL) bug… sigh.

        When do we say, "all software has bugs" and when do we say "those programmers are worthless"?

        Please correct any obvious misinformation in my posts.
        -Not a professional; an arrogant ignoramous.

        1 Reply Last reply Reply Quote 0
        • stan-qazS
          stan-qaz
          last edited by

          Sounds like mostly minor stuff really, as I saw elsewhere as the evaluation of this release: "I put on my brown pants for this?"

          Their release info: https://www.openssl.org/news/secadv_20150319.txt

          We are going to see a lot of bugs found and fixed as the program gets a lot of outside attention:

          http://www.linuxfoundation.org/programs/core-infrastructure-initiative

          1 Reply Last reply Reply Quote 0
          • H
            Harvy66
            last edited by

            Minor from a security sense, but dead simple DOS attack. Just send an unknown crypto signing algorithm and crash the web server. A few packets every few seconds to keep a server down.

            Programmers: Why would anyone send an unknown signing type? That'd crash, doesn't sound desirable to ANYONE. Herpa-Derp

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by

              I don't think its that big a deal but these guys need something to write about I guess.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.