[RndTbl] [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36

Gilbert Detillieux Gilbert.Detillieux at umanitoba.ca
Wed Feb 22 15:37:47 CST 2023 

Thanks for the update on LibreSSL.  Last time I looked at it, they were 
still in version 1.x, and still only supported on BSD-based systems.  I 
see they're at version 3.x now.

I wonder how much of this is still the case about support on Linux?...

https://lwn.net/Articles/841664/

There's also an overwhelming level of "this-is-fine"-ism in the 
industry, so as long as OpenSSL isn't a complete dumpster fire at the 
moment, people aren't willing to invest in alternatives, regardless of 
how drop-in-ready they may be (which is apparently still a debatable 
point with LibreSSL on Linux, or at least still was 2 years ago, when 
the above article was written).

Longer term, maybe a complete re-imagining is what the industry will 
need to move forward.  Most companies and developers are motivated more 
by new features than by correctness or security, sadly.

Gilbert

On 2023-02-22 3:12 p.m., Adam Thompson wrote:
> Bob Beck et al. from the OpenBSD project already "secured" OpenSSL, with 
> the result being called LibreSSL.  It's drop-in compatible for many 
> applications, but does require recompiling.  That team did a number of 
> presentations on it, and apparently you can still hear the swearing 
> echoing late at night when it's quiet...
> 
> The OpenSSL team, however, appear to be rather resistant to help.  
> Serious NIH syndrome.  Also they're more focused on preserving backwards 
> compatibility than correctness or security.  And also don't respond well 
> to criticism, from what I've seen.
> 
> All the large orgs you mentioned already have their own 
> OpenSSL-replacement projects in-house, some of them public.  None of 
> those are even remotely drop-in replacements, they're re-imagninings of 
> what a secure-connection library should be.
> 
> -Adam
> ------------------------------------------------------------------------
> *From:* Roundtable <roundtable-bounces at muug.ca> on behalf of Gilbert 
> Detillieux <Gilbert.Detillieux at umanitoba.ca>
> *Sent:* February 22, 2023 2:17 PM
> *To:* Continuation of Round Table discussion <roundtable at muug.ca>
> *Subject:* Re: [RndTbl] Fw: [SECURITY] Fedora 36 Update: 
> openssl-3.0.8-1.fc36
> As if we didn't already have enough issues with OpenSSL, what with
> buffer overrun vulnerabilities in new/recent code*, and more direct
> coding flaws (pointer free/dereference and such) that were recently
> announced**.
> 
> You'd think with the combined wealth and resources of Alphabet/Google,
> Apple, and Microsoft, they'd find it in their best collective
> self-interest to fund a project to replace this garbage with some, you
> know, actually secure code.
> 
> Sigh!
> 
> Gilbert
> 
> *
> https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/ <https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/>
> 
> ** https://www.openssl.org/news/secadv/20230207.txt 
> <https://www.openssl.org/news/secadv/20230207.txt>
> https://linuxsecurity.com/features/urgent-openssl-security-advisory 
> <https://linuxsecurity.com/features/urgent-openssl-security-advisory>
> 
> https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/ <https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/>
> 
> https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix <https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix>
>      (Many of the above do mention the side-channel attack too.)
> 
> On 2023-02-22 1:51 p.m., Trevor Cordes wrote:
>> Oh joy, "password timing" attacks come to SSL.
>> 
>> e.g. CVE-2022-4304  Published 2023-02-08T20:15:00
>> A timing based side channel exists in the OpenSSL RSA Decryption
>> implementation which could be sufficient to recover a plaintext across
>> a network in a Bleichenbacher style attack.
>> 
>> 
>> Begin forwarded message:
>> 
>> Date: Wed, 22 Feb 2023 11:09:09 +0000 (GMT)
>> From: updates at fedoraproject.org
>> To: package-announce at lists.fedoraproject.org
>> Subject: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36
>> 
>> --------------------------------------------------------------------------------
>> Fedora Update Notification
>> FEDORA-2023-a5564c0a3f
>> 2023-02-22 11:06:32.699863
>> --------------------------------------------------------------------------------
>> 
>> Name        : openssl
>> Product     : Fedora 36
>> Version     : 3.0.8
>> Release     : 1.fc36
>> 
>> * Thu Feb  9 2023 Dmitry Belyavskiy <dbelyavs at redhat.com> - 1:3.0.8-1
>> - Rebase to upstream version 3.0.8
>>    Resolves: CVE-2022-4203
>>    Resolves: CVE-2022-4304
>>    Resolves: CVE-2022-4450
>>    Resolves: CVE-2023-0215
>>    Resolves: CVE-2023-0216
>>    Resolves: CVE-2023-0217
>>    Resolves: CVE-2023-0286
>>    Resolves: CVE-2023-0401

-- 
Gilbert Detillieux          E-mail: Gilbert.Detillieux at umanitoba.ca
Computer Science            Web:    http://www.cs.umanitoba.ca/~gedetil/
University of Manitoba      Phone:  204-474-8161
Winnipeg MB CANADA  R3T 2N2

More information about the Roundtable mailing list