
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

Bob Beck et al. from the OpenBSD project already "secured" OpenSSL, with the result being called LibreSSL.  It's drop-in compatible for many applications, but does require recompiling.  That team did a number of presentations on it, and apparently you can still

 hear the swearing echoing late at night when it's quiet...</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

The OpenSSL team, however, appear to be rather resistant to help.  Serious NIH syndrome.  Also they're more focused on preserving backwards compatibility than correctness or security.  And also don't respond well to criticism, from what I've seen.<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

All the large orgs you mentioned already have their own OpenSSL-replacement projects in-house, some of them public.  None of those are even remotely drop-in replacements, they're re-imagninings of what a secure-connection library should be.<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);" class="elementToProof">

-Adam<br>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Roundtable <roundtable-bounces@muug.ca> on behalf of Gilbert Detillieux <Gilbert.Detillieux@umanitoba.ca><br>

<b>Sent:</b> February 22, 2023 2:17 PM<br>

<b>To:</b> Continuation of Round Table discussion <roundtable@muug.ca><br>

<b>Subject:</b> Re: [RndTbl] Fw: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36</font>

<div> </div>

</div>

<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">

<div class="PlainText">As if we didn't already have enough issues with OpenSSL, what with

<br>

buffer overrun vulnerabilities in new/recent code*, and more direct <br>

coding flaws (pointer free/dereference and such) that were recently <br>

announced**.<br>

<br>

You'd think with the combined wealth and resources of Alphabet/Google, <br>

Apple, and Microsoft, they'd find it in their best collective <br>

self-interest to fund a project to replace this garbage with some, you <br>

know, actually secure code.<br>

<br>

Sigh!<br>

<br>

Gilbert<br>

<br>

* <br>

<a href="https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/">https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-notice/</a><br>

<br>

** <a href="https://www.openssl.org/news/secadv/20230207.txt">https://www.openssl.org/news/secadv/20230207.txt</a><br>

    <a href="https://linuxsecurity.com/features/urgent-openssl-security-advisory">

https://linuxsecurity.com/features/urgent-openssl-security-advisory</a><br>

 <br>

<a href="https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/">https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-lead-to-system-crashes/</a><br>

 <br>

<a href="https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix">https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities-openssl-affect-aix</a><br>

    (Many of the above do mention the side-channel attack too.)<br>

<br>

On 2023-02-22 1:51 p.m., Trevor Cordes wrote:<br>

> Oh joy, "password timing" attacks come to SSL.<br>

> <br>

> e.g. CVE-2022-4304  Published 2023-02-08T20:15:00<br>

> A timing based side channel exists in the OpenSSL RSA Decryption<br>

> implementation which could be sufficient to recover a plaintext across<br>

> a network in a Bleichenbacher style attack.<br>

> <br>

> <br>

> Begin forwarded message:<br>

> <br>

> Date: Wed, 22 Feb 2023 11:09:09 +0000 (GMT)<br>

> From: updates@fedoraproject.org<br>

> To: package-announce@lists.fedoraproject.org<br>

> Subject: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36<br>

> <br>

> --------------------------------------------------------------------------------<br>

> Fedora Update Notification<br>

> FEDORA-2023-a5564c0a3f<br>

> 2023-02-22 11:06:32.699863<br>

> --------------------------------------------------------------------------------<br>

> <br>

> Name        : openssl<br>

> Product     : Fedora 36<br>

> Version     : 3.0.8<br>

> Release     : 1.fc36<br>

> <br>

> * Thu Feb  9 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.8-1<br>

> - Rebase to upstream version 3.0.8<br>

>    Resolves: CVE-2022-4203<br>

>    Resolves: CVE-2022-4304<br>

>    Resolves: CVE-2022-4450<br>

>    Resolves: CVE-2023-0215<br>

>    Resolves: CVE-2023-0216<br>

>    Resolves: CVE-2023-0217<br>

>    Resolves: CVE-2023-0286<br>

>    Resolves: CVE-2023-0401<br>

<br>

-- <br>

Gilbert Detillieux          E-mail: Gilbert.Detillieux@umanitoba.ca<br>

Computer Science            Web:    <a href="http://www.cs.umanitoba.ca/~gedetil/">

http://www.cs.umanitoba.ca/~gedetil/</a><br>

University of Manitoba      Phone:  204-474-8161<br>

Winnipeg MB CANADA  R3T 2N2<br>

For best CS dept. service, contact <cs-support@lists.umanitoba.ca>.<br>

<br>

_______________________________________________<br>

Roundtable mailing list<br>

Roundtable@muug.ca<br>

<a href="https://muug.ca/mailman/listinfo/roundtable">https://muug.ca/mailman/listinfo/roundtable</a><br>

</div>

</span></font></div>

</body>

</html>