Our great sponsors
-
overwrite of a buffer which could cause a crash and possible code execution.
https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b...
A one character change.
-
Reminder that rustls exists as a pretty mature TLS implementation in safe Rust (thus systematically avoiding issues like this). Thanks to Brian Smith for creating the webpki crate which was thoroughly engineered from the start to avoid stuff like this.
rustls has C bindings these days: https://github.com/rustls/rustls-ffi
I've started work on Python bindings too, with the idea that it probably wouldn't be crazy hard to do something that can pass as an `ssl.SSLSocket`. Please sponsor me on GitHub if that's something you'd like to use (https://github.com/sponsors/djc).
Note, we're aware that by far the biggest impediment to adopting rustls is the lack of support for IP addresses in certificates (we currently need a DNS name). This work is funded and should be completed in the next few months.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
OpenSSL-2022
Operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3
I'm oversimplifying it a bit, but anything that hasn't reached stable this year is still using v1.1.1 (and therefore unaffected).
Ubuntu v22.04 is vulnerable, but any before it is not. Debian is good (except bookworm which is currently in testing), Fedora (<36) is good, RHEL/CentOS (<9), Arch...
So on top of being not as serious as Heartbleed, servers that are a bit longer in operation (but still well within their support cycle) don't need patching.
-
The NixOS update has some details: https://github.com/NixOS/nixpkgs/pull/198999
### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]
* Fixed two buffer overflows in punycode decoding functions.
A buffer overrun can be triggered in X.509 certificate verification,
-
betterscan-ce
Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners + OpenAI GPT with One Report (Code, IaC) - Betterscan Community Edition (CE)
If you want to scan binary to see if this uses vulnerable version, use this YARA rule: https://github.com/marcinguy/betterscan-ce/blob/master/analy...
Courtesy of Akamai.
If you don't know YARA tool, you can run this command in the folder where your binary is (it will install everything needed):
sh <(curl https://dl.betterscan.io/cli.sh)
Hope that helps somebody
-
Colm MacCárthaigh has a nice writeup on CVE−2022-3602 including steps to reproduce: https://github.com/colmmacc/CVE-2022-3602
-
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
Related posts
- Pingora: HTTP Server and Proxy Library, in Rust, by Cloudflare, Released
-
Terrapin-Scanner VS CryptoLyzer - a user suggested alternative
2 projects | 14 Jan 2024
- Use of HTTPS Resource Records
- Alternative to openssl for reqwest https with client certs.
- S2n-TLS – A C99 implementation of the TLS/SSL protocol