GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps

2020-04-23 10:06

A static analysis feature set to appear in GCC 10, which will catch common programming errors that can lead to security vulnerabilities, has scored an early win - it snared an exploitable flaw in OpenSSL. Bernd Edlinger discovered CVE-2020-1967, a denial-of-service flaw deemed to be a high severity risk by the OpenSSL team.

While the flaw is an irritation - it's not remote-code execution but it can potentially hose servers and apps - programmers may be more interested in how it was uncovered.

Edlinger credits the discovery of the bug to GCC 10's brand new static analysis feature.

That means hopefully a good number of security bugs out there will be discovered and squashed as more programmers migrate to GCC 10 and take the analyzer out for a spin.

The analyzer is available from the master branch of the GCC 10 source code.

News URL

https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/04/23/gcc_openssl_vulnerability/

#openssl #security #server #CVE-2020-1967

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2020-04-21	CVE-2020-1967	NULL Pointer Dereference vulnerability in multiple products Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result of incorrect handling of the "signature_algorithms_cert" TLS extension. network low complexity openssl debian freebsd fedoraproject oracle netapp broadcom opensuse jdedwards tenable CWE-476	7.5

Related vendor

VENDOR	LAST 12M	#/PRODUCTS	LOW	MEDIUM	HIGH	CRITICAL	TOTAL VULNS
Openssl		2	12	92	51	16	171

News URL

Related news

Related Vulnerability

Related vendor