TechEcho

Here's a writeup of CVE-2015-1788:<a href="https://jbp.io/2015/06/11/cve-2015-1788-openssl-binpoly-hang/" rel="nofollow">https://jbp.io/2015/06/11/cve-2015-1788-openssl-binpoly-hang...</a>It's embarrassing rather than terribly dangerous.edit: Please note: there are other issues in this advisory. You should read the advisory, first and foremost.

In the meantime, latest stable releases of Chrome and Firefox are still vulnerable to Logjam. Is it that hard to fix?

I wonder how many of these are found by hand versus with automated tools like Asan and AFL. Seems like some of these would be really hard to spot...

Layman's explanation? I should apt-get update && apt-get upgrade?

Good luck in updating it in OS X (try running `ssh -V` there). Good that OS X will update to a more recent version in El Capitan and also switch to LibreSSL (great step forward).

"X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds."OpenSSL in C has had range errors discovered for over a decade now. Short of going to a safe language or full machine proofs of correctness, it's never going to be fixed. "Many eyes" don't help.(Of course, one wonders how many OpenSSL security holes are deliberate backdoors.)

In the meantime, latest stable releases of Chrome and Firefox are still vulnerable to Logjam. Is it that hard to fix?

I wonder how many of these are found by hand versus with automated tools like Asan and AFL. Seems like some of these would be really hard to spot...

Layman's explanation? I should apt-get update && apt-get upgrade?

Good luck in updating it in OS X (try running `ssh -V` there). Good that OS X will update to a more recent version in El Capitan and also switch to LibreSSL (great step forward).

OpenSSL Security Advisory

6 comments

OpenSSL Security Advisory

6 comments