OpenSSL 3.0.7 Published

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
  • OpenSSL

    TLS/SSL and crypto library

    overwrite of a buffer which could cause a crash and possible code execution.

    https://github.com/openssl/openssl/commit/3b421ebc64c7b52f1b...

    A one character change.

  • rustls-ffi

    Use Rustls from any language

    Reminder that rustls exists as a pretty mature TLS implementation in safe Rust (thus systematically avoiding issues like this). Thanks to Brian Smith for creating the webpki crate which was thoroughly engineered from the start to avoid stuff like this.

    rustls has C bindings these days: https://github.com/rustls/rustls-ffi

    I've started work on Python bindings too, with the idea that it probably wouldn't be crazy hard to do something that can pass as an `ssl.SSLSocket`. Please sponsor me on GitHub if that's something you'd like to use (https://github.com/sponsors/djc).

    Note, we're aware that by far the biggest impediment to adopting rustls is the lack of support for IP addresses in certificates (we currently need a DNS name). This work is funded and should be completed in the next few months.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • OpenSSL-2022

    Operational information regarding CVE-2022-3602 and CVE-2022-3786, two vulnerabilities in OpenSSL 3

    I'm oversimplifying it a bit, but anything that hasn't reached stable this year is still using v1.1.1 (and therefore unaffected).

    Ubuntu v22.04 is vulnerable, but any before it is not. Debian is good (except bookworm which is currently in testing), Fedora (<36) is good, RHEL/CentOS (<9), Arch...

    So on top of being not as serious as Heartbleed, servers that are a bit longer in operation (but still well within their support cycle) don't need patching.

    https://github.com/NCSC-NL/OpenSSL-2022/tree/main/software

  • nixpkgs

    Nix Packages collection & NixOS

    The NixOS update has some details: https://github.com/NixOS/nixpkgs/pull/198999

    ### Changes between 3.0.6 and 3.0.7 [1 Nov 2022]

    * Fixed two buffer overflows in punycode decoding functions.

       A buffer overrun can be triggered in X.509 certificate verification,

  • betterscan-ce

    Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners + OpenAI GPT with One Report (Code, IaC) - Betterscan Community Edition (CE)

    If you want to scan binary to see if this uses vulnerable version, use this YARA rule: https://github.com/marcinguy/betterscan-ce/blob/master/analy...

    Courtesy of Akamai.

    If you don't know YARA tool, you can run this command in the folder where your binary is (it will install everything needed):

    sh <(curl https://dl.betterscan.io/cli.sh)

    Hope that helps somebody

  • CVE-2022-3602

    Colm MacCárthaigh has a nice writeup on CVE−2022-3602 including steps to reproduce: https://github.com/colmmacc/CVE-2022-3602

  • rustls

    A modern TLS library in Rust

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts