Security News

Support for client side QUIC, including support for multiple streams. Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD. Support for the Argon2 KDF, along with supporting thread pool functionality.

Please turn on your JavaScript for this page to function normally. FreeBSD provides sophisticated features in networking, performance, security, and compatibility.

$50k to breathe new life into its corpse. The rest of us must move on to OpenSSL 3.0 OpenSSL 1.1.1 has reached the end of its life, making a move to a later version essential for all, bar those...

Along with those memory bugs, we also reported on a bug dubbed CVE-2022-4304: Timing Oracle in RSA Decryption. In other words, so-called timing attacks of this sort are always troublesome, even if you might need to send millions or bogus packets and time them all to have any chance at all.

The OpenSSL Project has released fixes to address several security flaws, including a high-severity bug in the open source encryption toolkit that could potentially expose users to malicious attacks. The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list over a network.

There are eight CVE-numbered bug fixes in all, and you probably won't be surprised to hear that seven of these were caused by memory mismanagement. Like OpenSSH, which we wrote about at the end of last week, OpenSSL is written in C, and taking care of memory allocation and deallocation in C programs typically involves a lot of "Do it yourself".

An analysis of firmware images across devices from Dell, HP, and Lenovo has revealed the presence of outdated versions of the OpenSSL cryptographic library, underscoring a supply chain risk. The firmware development environment, which is in its second iteration, comes with its own cryptographic package called CryptoPkg that, in turn, makes use of services from the OpenSSL project.

You can up software supply chain security by implementing these measuresThe COVID-19 pandemic has been a driving force in digital acceleration, and it continues to wield its influence in how organizations and their staff embrace work. Most missed area of zero trust: Unmanageable applicationsIn this Help Net Security video, Matthew Chiodi, Chief Trust Officer of Cerby, talks about the likely hole in your security strategy.

Windows has its own independently developed and maintained encryption library with the wacky name Cryptography API: Next Generation, so in theory you would not expect to have to worry about OpenSSL on Windows at all. Dll in its System folder, which is a filename typically associated with OpenSSL. Intriguingly, that one turns out to be a false alarm, because it was compiled from the LibreSSL code, a similar but alternative cryptographic library from the OpenBSD team that is loosely compatible with OpenSSL, but doesn't have these bugs in it.

OpenSSL today issued a fix for a critical-turned-high-severity vulnerability that project maintainers warned about last week. It's not every day we're warned of a critical flaw in OpenSSL - an important software library typically used by various apps and servers to encrypt data over networks and the internet - and so infosec vendors and blogs and influencers couldn't help but hype it up, promising live feeds of pain and misery when details of the holes are revealed.