by 9wzYQbTYsAIc on 4/21/20, 4:41 PM
> This issue was found by Bernd Edlinger and reported to OpenSSL on 7th April
2020. It was found using the new static analysis pass being implemented in GCC,
-fanalyzer.
2 week turnaround time, not bad I guess, for something found by a static analyzer.
by judge2020 on 4/21/20, 5:55 PM
At least it's just DOS and not anything like heartbleed.
by nayuki on 4/21/20, 5:28 PM
What popular software contain these vulnerable versions of the OpenSSL library?
by pronoiac on 4/21/20, 6:24 PM
Checking out packages.ubuntu.com, it looks like the only version impacted is "focal;" the other versions are too old.
by agumonkey on 4/21/20, 11:00 PM
Now I know why arch pushed a new version this afternoon.
by codewiz on 4/22/20, 1:39 AM
Is BoringSSL affected?
by usr1106 on 4/22/20, 9:22 AM
So how widely TLS 1.3 is
a) used
b) enabled in either client or server?
by nayuki on 4/21/20, 6:59 PM
OpenSSL vulnerabilities: The gift that keeps on giving.
by stuff4ben on 4/21/20, 6:13 PM
This would primarily affect web servers exposing SSH access to the public right? I suppose it also affects internally accessible servers as well but to a lesser degree in terms of priority.
by vladsanchez on 4/21/20, 7:02 PM
OpenSSL is the culprit of a MacPort installation issue (vde2) for which there is no maintainer. It exposes operational vulnerability to unmaintained open source software.
by snvzz on 4/21/20, 6:56 PM
Sure, let's continue to reward incompetence by further funding openssl.
In a sane world, everybody would have switched to libressl ages ago.