Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Upcoming OpenSSL severe bug fix

    Scheduled Pinned Locked Moved Off-Topic & Non-Support Discussion
    15 Posts 6 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      Harvy66
      last edited by

      Not a whole lot from this link, but the only one I've seen this far

      http://www.theregister.co.uk/2015/07/06/awoogah_get_ready_to_patch_severe_bug_in_openssl_this_thursday/

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        We're aware. Not much info yet (sometimes we get pre-release info from CERT, but nothing for this). Not even speculation about a cutesy nickname.

        Until told otherwise, I'll call it … <shakes randomizer="">```
        $ shuf -n 2 /usr/share/dict/words
        somnolent
        infant

        
        It'll do. "somnolent infant" it is.
        
        We'll pick up the fix automatically when FreeBSD puts it in, and we'll be putting out a new 2.2.4 release soon anyhow to pick up other things like fixes for AES-NI and filesystem issues with pw and config.xml writing (plan is for mid-month, but may fluctuate)</shakes>

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          With amazing naming skills like that, shouldn't you be working for Ubuntu?

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            @KOM:

            With amazing naming skills like that, shouldn't you be working for Ubuntu?

            Sadly, though my skills may be amazing, the words did not start with the same next sequential matching letters so I would be fired from Ubuntu. :-(

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • P
              phil.davis
              last edited by

              The bug, we're told, will be addressed in versions 1.0.2d and 1.0.1p of the software. The vulnerability does not affect the 1.0.0 or 0.9.8 series.

              That is most disappointing. That means that some code change in 1.0.1 as either added the vulnerability or exposed a previous "hidden" vulnerability. In any case, a security-related bug has been added in a relatively recent set of code! We will see exactly what it is in a few days.
              When will the software industry get serious about security and code review-testing?
              I can understand that we have been fixing buffer-overrun and similar vulnerabilities that were in systems that were engineered decades ago when security was not a focus. But in the last 5-10 years everybody has known that security is a must.
              end-of-rant

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                When will the software industry get serious about security and code review-testing?

                If security was easy & cheap, everyone would be doing it right.

                1 Reply Last reply Reply Quote 0
                • D
                  divsys
                  last edited by

                  Reminds me of the universal solution matrix for problem solving:

                  1. Good
                  2. Inexpensive
                  3. Fast

                  - Pick any two

                  -jfp

                  1 Reply Last reply Reply Quote 0
                  • H
                    Harvy66
                    last edited by

                    The funny thing is tech debt makes inexpensive and fast more expensive in the long run for any core infrastructure.

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      I have yet to meet a manager that has 1) a grasp of technology and, 2) an appreciation of the difference between hard and soft costs:  "Get the cheaper thing even though it will cost us many more hours over the course of each year.  The $50 one-time savings is definitely worth it."

                      1 Reply Last reply Reply Quote 0
                      • H
                        Harvy66
                        last edited by

                        Seems we got some more info on it

                        http://arstechnica.com/security/2015/07/critical-openssl-bug-allows-attackers-to-impersonate-any-trusted-website/

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          Despite wanting my name to succeed, someone has dubbed this OprahSSL and I'm inclined to agree.

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • jimpJ
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            FreeBSD has fixes in, new snapshots of 2.2.4 will be out soon that have the problem corrected.

                            https://www.freebsd.org/security/advisories/FreeBSD-SA-15:12.openssl.asc

                            Actually upon closer examination, we aren't affected. The version in pfSense 2.2.x is before the affected feature was added. The fix in FreeBSD is only for 10-STABLE after a specific date.

                            So no worries, folks. Just sit back and laugh at everyone else.

                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            1 Reply Last reply Reply Quote 0
                            • KOMK
                              KOM
                              last edited by

                              Just sit back and laugh at everyone else.

                              Everyone else?  From what I have read, hardly anybody was using the June library anyway so its effect is expected to be very limited.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                @KOM:

                                Just sit back and laugh at everyone else.

                                Everyone else?  From what I have read, hardly anybody was using the June library anyway so its effect is expected to be very limited.

                                Ssshhhh… don't kill the mood. It's a rare day we get to practically ignore an OpenSSL SA. :-)

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 0
                                • dennypageD
                                  dennypage
                                  last edited by

                                  @jimp:

                                  Ssshhhh… don't kill the mood. It's a rare day we get to practically ignore an OpenSSL SA. :-)

                                  :)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.