More OpenSSL security fixes

Discussion in 'privacy technology' started by BoerenkoolMetWorst, Aug 7, 2014.

  1. haakon

    haakon Guest

    I have a fair understanding of OpenSSL's method, but not so much with its actual gears and pulleys.

    I always keep some clients I use updated with the current libraries: libeay32.dll and ssleay32.dl, now at 1.0.2h / 1.0.2.8.

    Having no control, of course, on what's used on the server side "out there," I wonder if that does some good or none at all?? :doubt:
     
  2. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,893
    Indeed. I've been using it for a long time.
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    OpenSSL to Patch High Severity Vulnerability
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    Over a Dozen Vulnerabilities Patched in OpenSSL
     
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    6,084
    Location:
    USA
  6. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,538
    Location:
    Outer space
    I didn't check but usually some vulnerabilities affect client side as well. The big browsers don't use OpenSSL, but some others do, QupZilla for example.
    Also quite a few other softwares on Windows bundle OpenSSL files in their program files folders and don't update them properly. Search your computer for ssleay*.dll and libeay*.dll to find out.
     
  7. haakon

    haakon Guest

    That's what I pondered in my post #26 above.

    I've just been replacing the two dlls on my systems for years in the age-old trusted "it can't hurt" strategy.

    As well, I don't believe they'd be releasing client-side libraries for no reason.
     
  8. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
  9. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,344
    I can tell you that my Debian systems all updated OpnSSL today. There were some high risk changes that were addressed.
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    OpenSSL Security Advisory [26 Sep 2016]

     
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    OpenSSL to Patch High Severity Flaw in Version 1.1.0
     
  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    High Severity DoS Flaw Patched in OpenSSL
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    OpenSSL Patches Four Vulnerabilities
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    High Severity Flaw Patched in OpenSSL 1.1.0
     
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,906
    Pre-announcement for the upcoming OpenSSL releases for 02 Nov 2017.

    https://mta.openssl.org/pipermail/openssl-announce/2017-October/000104.html

     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    OpenSSL Patches Flaws Found With Google Fuzzer
     
  17. RockLobster

    RockLobster Registered Member

    Joined:
    Nov 8, 2007
    Posts:
    1,812
    That Google fuzzer is a pretty awesome piece of kit, it tests programs with trillions of inputs, to see if any of them cause an unexpected response.
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    Two Vulnerabilities Patched in OpenSSL
     
  19. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    First OpenSSL Updates in 2018 Patch Three Flaws
     
  20. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    118,456
    Location:
    Texas
    https://www.openssl.org/news/secadv/20190226.txt
     
  22. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,906
  23. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,906
    I would like to point to the OpenSSL blog post from 07 Nov 2019 :
    Update on 3.0 Development, FIPS and 1.0.2 EOL
    https://www.openssl.org/blog/blog/2019/11/07/3.0-update/

    IMHO a must read for developers, in particular for those who are using the 1.0.2 version.

    (emphasis by me)

    There is a lot more in that blog post.
     
  24. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,906
  25. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    3,906
    Long Read:
    QUIC and OpenSSL - Feb 17th, 2020
    https://www.openssl.org/blog/blog/2020/02/17/QUIC-and-OpenSSL/

     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.