[opensuse] Openssl advisory
https://www.openssl.org/news/secadv/20160922.txt What's the Leap 42.1 story? TIA Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2016 12:02 PM, Michael Fischer wrote:
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) ===================================================================== Severity: High A malicious client can send an excessively large OCSP Status Request extension. .... </quote> I have no doubt about the existence of 'malicious clients'. But like we advise people not to use HTML mail and not click on those seeming innocent links that actually lurk underneath the innocent looking link, and not to open attachments from people you don't know, there's a 'don't visit strange sites' etc etc advice we give, or should give out users. It's futile, though. Yes, I'm sure Good Sites can be hacked, friends and relatives and otherwise bone fide correspondents get their accounts hacked or their email spoofed and things turn nasty. But don't deliberately go out there and cause confusion and invite malware. You may end up being that 'trusted correspondent' who actually has their account hacked. What's the couplet from that Don McLean song They would not listen, they're not listening still Perhaps they never will -- The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together. -- Bruce Schneier -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Sep 22, Anton Aylward wrote:
On 09/22/2016 12:02 PM, Michael Fischer wrote:
OCSP Status Request extension unbounded memory growth (CVE-2016-6304) =====================================================================
Severity: High
A malicious client can send an excessively large OCSP Status Request extension.
.... </quote>
But don't deliberately go out there and cause confusion and invite malware. You may end up being that 'trusted correspondent' who actually has their account hacked.
Sorry... I don't get your reply. I was asking (mainly the SuSE folks on the list) if they expect patches out soon for any of the vulnerabilities mentioned in the advisory, or if SuSE's builds of openssl are not subject to those CVEs. Thanks. Michael -- Michael Fischer michael@visv.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/22/2016 02:28 PM, Michael Fischer wrote:
I was asking (mainly the SuSE folks on the list) if they expect patches out soon for any of the vulnerabilities mentioned in the advisory, or if SuSE's builds of openssl are not subject to those CVEs.
Oh, Sorry. I thought "when will patches be out" was the sort of question you asked if you wanted to know when patches would be out. I've seen people ask that in the past. I thought by 'story' you were asking how 42.1 came to be when you asked "What's the 4.1 story?" SWYM. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Sep 22, 2016 at 12:02:31PM -0400, Michael Fischer wrote:
https://www.openssl.org/news/secadv/20160922.txt
What's the Leap 42.1 story?
Will be released after the SLES release. There is nothing severe in our opinion, the only High issue is a denial of service only. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Anton Aylward -
Marcus Meissner -
Michael Fischer