As if we didn't already have enough issues with OpenSSL, what with buffer overrun vulnerabilities in new/recent code*, and more direct coding flaws (pointer free/dereference and such) that were recently announced**.
You'd think with the combined wealth and resources of Alphabet/Google, Apple, and Microsoft, they'd find it in their best collective self-interest to fund a project to replace this garbage with some, you know, actually secure code.
Sigh!
Gilbert
* https://nsfocusglobal.com/openssl-multiple-buffer-overflow-vulnerability-not...
** https://www.openssl.org/news/secadv/20230207.txt https://linuxsecurity.com/features/urgent-openssl-security-advisory
https://www.lansweeper.com/vulnerability/8-vulnerabilities-in-openssl-could-...
https://www.ibm.com/support/pages/security-bulletin-multiple-vulnerabilities... (Many of the above do mention the side-channel attack too.)
On 2023-02-22 1:51 p.m., Trevor Cordes wrote:
Oh joy, "password timing" attacks come to SSL.
e.g. CVE-2022-4304 Published 2023-02-08T20:15:00 A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack.
Begin forwarded message:
Date: Wed, 22 Feb 2023 11:09:09 +0000 (GMT) From: updates@fedoraproject.org To: package-announce@lists.fedoraproject.org Subject: [SECURITY] Fedora 36 Update: openssl-3.0.8-1.fc36
Fedora Update Notification FEDORA-2023-a5564c0a3f 2023-02-22 11:06:32.699863
Name : openssl Product : Fedora 36 Version : 3.0.8 Release : 1.fc36
- Thu Feb 9 2023 Dmitry Belyavskiy dbelyavs@redhat.com - 1:3.0.8-1
- Rebase to upstream version 3.0.8 Resolves: CVE-2022-4203 Resolves: CVE-2022-4304 Resolves: CVE-2022-4450 Resolves: CVE-2023-0215 Resolves: CVE-2023-0216 Resolves: CVE-2023-0217 Resolves: CVE-2023-0286 Resolves: CVE-2023-0401