New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
OpenSSL 3 Critical security vulnerability -- Potential memory leak & remote code execution?
PulsedMedia
Member, Patron Provider
in News
It's likely to be abused to disclose server memory contents, and potentially reveal user details, and could be easily exploited remotely to compromise server private keys or execute code execute remotely. In other words, pretty much everything you don't want happening on your production systems.
ZDNet probably did that for the hyperbole clicks, not sure, here is ZDNet article:
https://www.zdnet.com/article/openssl-warns-of-critical-security-vulnerability-with-upcoming-patch/
Check if you are affected from here: https://isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192
(or just type ' openssl version ' in shell!)
I don't think any of our production servers are affected sigh of relief
Comments
Fedora 37 got delayed
https://lwn.net/Articles/912776/
Besides Fedora, which distros are using openssl 3? All of my systems are using openssl 1.1.1
AlmaLinux 9.x and Ubuntu 22.04+ are also using OpenSSL 3.
RHEL 9
Ubuntu 22.04
Link to a list posted on the original posting: https://isc.sans.edu/forums/diary/Upcoming+Critical+OpenSSL+Vulnerability+What+will+be+Affected/29192
OpenSSL 3.0.7 with the fixes was released yesterday, 1 November 2022.
Scroll down to see their comment under Current News, which will scroll down and disappear as new entries bump it out over time:
https://www.openssl.org
Here are descriptions of the bugs and fixes:
https://www.openssl.org/news/secadv/20221101.txt
https://www.openssl.org/blog/blog/2022/11/01/email-address-overflows/
I do not know whether it has trickled down to the updaters for affected Linux distros and other operating systems yet. The various OSs that I run all use OpenSSL 1.x and earlier. They are not affected.
Edit, added a few minutes later:
I just looked at a few versions of macOS, and only now learned that Apple switched from OpenSSL to LibreSSL. I am no longer sure which version upgrade had the change, but it happened somewhere around macOS 10.11 to 10.13. I wonder whether the change was related to GNU licensing. Most people believe GNU license restrictions drove Apple's switch from bash to zsh as the default shell in Terminal.