Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Perl programming is an *empirical* science! -- Larry Wall in <10226@jpl-devvax.JPL.NASA.GOV>

computers / comp.os.vms / Re: Upcoming patch for major security flaw in OpenSSL 3.x

SubjectAuthor
* Upcoming patch for major security flaw in OpenSSL 3.xSimon Clubley
`* Re: Upcoming patch for major security flaw in OpenSSL 3.xStephen Hoffman
 `- Re: Upcoming patch for major security flaw in OpenSSL 3.xSimon Clubley

1
Upcoming patch for major security flaw in OpenSSL 3.x

<tjgjvq$33i2i$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25389&group=comp.os.vms#25389

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: club...@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley)
Newsgroups: comp.os.vms
Subject: Upcoming patch for major security flaw in OpenSSL 3.x
Date: Fri, 28 Oct 2022 13:03:54 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 10
Message-ID: <tjgjvq$33i2i$1@dont-email.me>
Injection-Date: Fri, 28 Oct 2022 13:03:54 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="ccc46fc477393100e0289bcaae4f133f";
logging-data="3262546"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX199jlf8NJ8XsvcIGNkh5jIqL7u40Z9v9aY="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:Wf8dYxcZgd/TrXJzcYZU6PLG6a0=
 by: Simon Clubley - Fri, 28 Oct 2022 13:03 UTC

There is a major security flaw affecting OpenSSL 3.x that is critical
enough to announce in advance of the actual patch being released next week:

https://www.zdnet.com/article/openssl-warns-of-critical-security-vulnerability-with-upcoming-patch/

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

Re: Upcoming patch for major security flaw in OpenSSL 3.x

<tk1g7v$1i9rn$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25469&group=comp.os.vms#25469

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: seaoh...@hoffmanlabs.invalid (Stephen Hoffman)
Newsgroups: comp.os.vms
Subject: Re: Upcoming patch for major security flaw in OpenSSL 3.x
Date: Thu, 3 Nov 2022 18:44:15 -0400
Organization: HoffmanLabs LLC
Lines: 22
Message-ID: <tk1g7v$1i9rn$1@dont-email.me>
References: <tjgjvq$33i2i$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: reader01.eternal-september.org; posting-host="f1f6253aef09abda3cf5d2c4de498517";
logging-data="1648503"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19IuVgQejWuNH+g0uHxWhwk7n7+fG9/crQ="
User-Agent: Unison/2.2
Cancel-Lock: sha1:/tHgm5SRHxkEf631WBEYfNev8Dc=
 by: Stephen Hoffman - Thu, 3 Nov 2022 22:44 UTC

On 2022-10-28 13:03:54 +0000, Simon Clubley said:

> There is a major security flaw affecting OpenSSL 3.x that is critical
> enough to announce in advance of the actual patch being released next
> week:

Downgraded to HIGH, and might arguably be MEDIUM given the requirements.

Some background on the bug, on the difficulies of parsing, on Unicode
and ASCII, and of potential means of bug detection.

https://words.filippo.io/dispatches/openssl-punycode/

BTW / unrelated / PSA : OpenSSH 9.0p1 is restricting RSA and SHA-1
usage by default, so expect a few wrinkles when interoperating with
OpenVMS.

--
Pure Personal Opinion | HoffmanLabs LLC

Re: Upcoming patch for major security flaw in OpenSSL 3.x

<tk35r8$1qnss$2@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=25475&group=comp.os.vms#25475

  copy link   Newsgroups: comp.os.vms
Path: i2pn2.org!i2pn.org!aioe.org!eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail
From: club...@remove_me.eisner.decus.org-Earth.UFP (Simon Clubley)
Newsgroups: comp.os.vms
Subject: Re: Upcoming patch for major security flaw in OpenSSL 3.x
Date: Fri, 4 Nov 2022 13:59:05 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 19
Message-ID: <tk35r8$1qnss$2@dont-email.me>
References: <tjgjvq$33i2i$1@dont-email.me> <tk1g7v$1i9rn$1@dont-email.me>
Injection-Date: Fri, 4 Nov 2022 13:59:05 -0000 (UTC)
Injection-Info: reader01.eternal-september.org; posting-host="7f23d27633848eff1673c37d67278340";
logging-data="1925020"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+LVofknmnQ9htkV6QFETolVy0bCQDRt4g="
User-Agent: slrn/0.9.8.1 (VMS/Multinet)
Cancel-Lock: sha1:F/j5qfQmvrUzK23A+ytQA2FKqMw=
 by: Simon Clubley - Fri, 4 Nov 2022 13:59 UTC

On 2022-11-03, Stephen Hoffman <seaohveh@hoffmanlabs.invalid> wrote:
> On 2022-10-28 13:03:54 +0000, Simon Clubley said:
>
>> There is a major security flaw affecting OpenSSL 3.x that is critical
>> enough to announce in advance of the actual patch being released next
>> week:
>
> Downgraded to HIGH, and might arguably be MEDIUM given the requirements.
>

Given the initial publicity, this is a really bad screwup on the part
of OpenSSL because the next time a genuine critical one is issued, some
people may not take it as seriously they should.

Simon.

--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor