homepage Welcome to WebmasterWorld Guest from 54.167.41.199
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
OpenSSL Serious Vulnerability Notice; Affects Versions Patched After Heartbleed
engine




msg:4677903
 8:45 am on Jun 6, 2014 (gmt 0)

With Heartbleed bug still in our minds, there's another serious vulnerability in OpenSSL which needs patching quickly.

Still cleaning up after the Heartbleed debacle, OpenSSL is issuing fixes for several vulnerabilities, one of them exploitable to run arbitrary code on the client or server.OpenSSL Serious Vulnerability Notice; Affects Versions Patched After Heartbleed [zdnet.com]


OpenSSL security advisory [openssl.org...]

Earlier stories

New Heartbleed Attack, "Cupid Bug" Affects Android Devices Over WiFi [webmasterworld.com]

New Vulnerability in OpenSSL Cryptographic Software: Heartbleed Bug [webmasterworld.com]

 

graeme_p




msg:4677917
 9:47 am on Jun 6, 2014 (gmt 0)

Its nothing like as serious as heartbleed (or the Apple "goto" bug or the GNUTLS one) as it requires a MITM attack between a vulnerable client AND a vulnerable server. The only widely used browser that is vulnerable seems to be Chrome on Android (and presumably some other Android browsers as well).

Funny how so many SSL vulnerabilities seem to be surfacing at once. It looks as though no one bothered properly auditing it until the "goto" bug woke people up, and once they started looking it all started appearing.

IanKelley




msg:4678146
 10:18 am on Jun 7, 2014 (gmt 0)

You also have to wonder if the Snowden revelations about the NSA attempting to inject vulnerabilities into popular solutions motivated people to look more closely.

graeme_p




msg:4678208
 4:55 pm on Jun 7, 2014 (gmt 0)

Definitely a motive for the better auditing.

It does make me suspicious about the remaining major SSL libraries: NSS, the Windows one, and the Java one. Are they better designed, or STILL not properly audited, or even deliberately keeping a vulnerability in for the NSA.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved