[RndTbl] Fw: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36

[Trevor Cordes]

On 2023-02-22 Gilbert Detillieux wrote:
> As if we didn't already have enough issues with OpenSSL, what with 
> buffer overrun vulnerabilities in new/recent code*, and more direct 
> coding flaws (pointer free/dereference and such) that were recently 
> announced**.

To be fair, "password timing" attacks are a relatively new class of
attack vectors.  And by new I mean maybe 10-15 years old?  Many
projects are still finding buffer overrun and null-pointer deref bugs
40 years after that class was identified.

And the tools to combat timing attacks are still (relatively) in their
infancy, in terms of language support and standardized libraries.  So
programmers have (had) little help.  Many will just put their heads in
the sand.

Even worse, you can find these vulnerabilities in places that aren't
readily apparent (like SSL).  We all thought "password" when really
it's comparing any strings in an auth (or even encryption?) scenario.

I remember a few years back when PHP was starting to address this that
to solve it immediately in my own projects I had to write custom
password comparison code, because it was going to be years before the
PHP tools showed up on our production boxes.  It was one of the most
challenging, and fun, projects I've ever worked on, though I hated the
fact I had to waste time on mitigating the minds of autist hackers.

The disturbing thing I see in the industry these days is that it's not
new bugs people are finding, it's entirely new classes of bugs.  Ones
that no one really thought of before (a blessing?).  Like the Spectre-
class gift that will forever keep on giving.  And password timing
attacks.  As we fix those, shudder to think what new class has yet to
be discovered...