Articles about openssl

OpenSSL preps fix for mystery high severity hole

The OpenSSL Project will repair a "high severity" security hole in updates due Thursday. Information is thin on the ground. El Reg has asked OpenSSL for more details to help admins prepare for the patching. The hole will be patched as part of a series of fixes that will land on 19 March and apply to versions 1.0.2a, 1.0.1m, 1 …
Darren Pauli, 17 Mar 2015
Zombie rising from the grave

Cisco FREAKs out, starts epic OpenSSL bug-splat

Cisco admins will be watching and waiting for fixes, with the company announcing that many of its OpenSSL implementations are carrying a bunch of post-POODLE fleas. The Borg has been looking over its kit and software since the OpenSSL project disclosed a bunch of vulns in January, and on March 10 detailed the impacts it's …

OpenSSL audit kicks off for post-Heartbleed strengthening program

A major audit of the ubiquitous OpenSSL web security protocol is set to commence under a US$1.2 million industry commitment to harden open source technologies. OpenSSL is first off the rank under the Linux Foundation’s Core Infrastructure Initiative given its popularity and lack of in-depth security review. "OpenSSL has been …
Darren Pauli, 10 Mar 2015

Post-POODLE, OpenSSL shakes off some fleas

OpenSSL has squashed eight low severity vulnerabilities bugs that could result in denial of service or the removal of forward secrecy. The holes, two graded "moderate", were addressed in OpenSSL updates 1.0.0p, 0.98zd, and 1.0.1k. Maintainers wrote in an advisory that Cisco warned last October that a crafted Datagram …
Darren Pauli, 9 Jan 2015

Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat

Poodle If you're using the popular OpenSSL open source cryptography library, you have more to worry about than the recently disclosed POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, project devs have warned. In addition to patching two POODLE-related bugs, new releases of OpenSSL issued on Wednesday also close …
Neil McAllister, 15 Oct 2014

OpenSSL promises devs advance notice of future bugs, slaps if they blab

In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes. The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the …

Only '3% of web servers in top corps' fully fixed after Heartbleed snafu

A study of the public-facing web servers run by some of the world's largest firms has suggested only three per cent of the machines have been fully protected against the OpenSSL vulnerability known as Heartbleed. The research, carried out by security specialists at Venafi Labs, examined 550,000 servers belonging to 1,639 …
Iain Thomson, 29 Jul 2014

How long is too long to wait for a security fix?

Sysadmin blog Synology quietly released version 4.2-3250 of its DiskStation Manager (DSM) operating system this month. This squashes critical security bugs in version 4.2 of DSM – bugs that were fixed in version 5.0 in June, so consider this a back port. Version 4.2 is old but still in use in various models, such as the DS109. The update …
Trevor Pott, 25 Jul 2014
yawn

Google devs: Tearing Chrome away from OpenSSL not that easy

Google is trying to migrate its Chrome browser away from the buggy OpenSSL cryptography library toward BoringSSL, its homegrown fork, but swapping out the crypto code is proving more difficult than it sounds. Google engineer David Benjamin posted a revision to the Chromium source code version control system this week with a …
Neil McAllister, 25 Jul 2014

LibreSSL RNG bug fix: What's all the forking fuss about, ask devs

A bug found and fixed in LibreSSL, the OpenSSL fork maintained by OpenBSD developers, is “catastrophic" or "overblown", depending on whom you talk to. Just days after the release of a portable version of the crypto library, a flaw was reported in LibreSSL's pseudo-random number generator – its PRNG, a vital component in strong …
John Leyden, 17 Jul 2014
LibreSSL

LibreSSL crypto library leaps from OpenBSD to Linux, OS X, more

The OpenBSD project has released the first portable version of LibreSSL, the team's OpenSSL fork – meaning it can be built for operating systems other than OpenBSD. The LibreSSL project, which aims to clean up the buggy and inscrutable OpenSSL code, was founded about two months ago by a group of OpenBSD developers, so it only …
Neil McAllister, 12 Jul 2014

'I don't want to go on the cart' ... OpenSSL revived with survival roadmap

The OpenSSL project, having suffered sharp criticism following the revelation of a string of serious security vulnerabilities, has published a roadmap explaining how it plans to address users' concerns. "The OpenSSL project is increasingly perceived as slow-moving and insular," the intro to the document states. "This roadmap …
forks reforking

Bored yet? Now there's ANOTHER OpenSSL fork – it's from Google

With developers still struggling to plug vulnerabilities in the open source OpenSSL crypto library, Google has spun off a new fork of the project based on its own, internal work with the code, dubbed BoringSSL. "We have used a number of patches on top of OpenSSL for many years," Google dev Adam Langley said in a blog post …
Neil McAllister, 21 Jun 2014
Left out.

Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt

OpenBSD founder Theo De Raadt said OpenSSL maintainers appeared to have intentionally not informed it about dangerous vulnerabilities found in the platform and patched today. The apparent feud stems from the April break away LibreSSL which was forked after developers found the OpenSSL code base to be unacceptably insecure in …
Darren Pauli, 6 Jun 2014

Patch NOW: Six new bugs found in OpenSSL – including spying hole

The OpenSSL team has pushed out fixes for six security vulnerabilities in the widely used crypto library. These holes include a flaw that enables man-in-the-middle (MITM) eavesdropping on encrypted connections, and another that allows miscreants to drop malware on at-risk systems. A DTLS invalid fragment bug (CVE-2014-0195, …
John Leyden, 5 Jun 2014

AVG on Heartbleed: It's dangerous to go alone. Take this (an AVG tool)

It's the bug that keeps on bleeding. Thousands of websites are still vulnerable to Heartbleed more than a month after a patch for the password-leaking OpenSSL bug was released, we're told. Researchers at AVG’s Virus Labs said they scanned Alexa's league table of the top 800,000 sites in the world, and found 12,043 (1.5 per …
John Leyden, 20 May 2014
Qualcomm Atheros hybrid home network

Don't fret over SOHO routers and Heartbleed. But yeah, there's LOADS to fear on home kit

The infamous Heartbleed bug doesn't affect home routers in practice, according to new analysis by security researchers at TripWire. The infosec vendor nevertheless warned that "critical security flaws" are "endemic" to small office/home office (SOHO) routers. TripWire came to this conclusion after revisiting earlier research …
John Leyden, 9 May 2014

Bevy of tech behemoths aim to plug the next Heartbleed with DOLLARS

Tech's biggest names have vowed to pour cash into crucial open-source projects that glue the web together – and hopefully kill off any dire bugs that could wreck the net. The Linux Foundation announced on Thursday that it had formed "The Core Infrastructure Initiative" to fund open projects that are critical to the functioning …
Jack Clark, 24 Apr 2014

Create a news alert about openssl, or find more stories about openssl.

Biting the hand that feeds IT © 1998–2017