The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

CVE-2024-5535

Signed-off-by: Xe Iaso <me@xeiaso.net>

Xe Iaso 98c6a71d 0b582f98

+4 -4
+4 -4
lume/src/shitposts/no-way-to-prevent-this/CVE-2024-5535.md
··· 1 1 --- 2 2 title: '"No way to prevent this" say users of only language where this regularly happens' 3 - date: 2024-06-27 3 + date: 2024-07-30 4 4 series: "no-way-to-prevent-this" 5 5 type: blog 6 6 hero: ··· 9 9 prompt: A forlorn business man resting his head on a brown wall next to a window. 10 10 --- 11 11 12 - In the hours following the release of [CVE-2024-5535](https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html) for the project [OpenSSL](https://openssl.org/), site reliability workers 13 - and systems administrators scrambled to desperately rebuild and patch all their systems to fix NPN (the precursor to ALPN) in OpenSSL 1.0.x, 1.1.x, and 3.x leaking 255 bytes of client heap to the server with every write. This is due to the affected components being 12 + In the hours following the release of [CVE-2024-5535](https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html) for the project [OpenSSL](https://openssl-library.org/), site reliability workers 13 + and systems administrators scrambled to desperately rebuild and patch all their systems to fix a memory safety vulnerability allowing 255 bytes of the client's heap to be sent to the server when using Next-Protocol-Notifications (commonly used for HTTP/2 connections). This vulnerability has existed since 2011. This is due to the affected components being 14 14 written in C, the only programming language where these vulnerabilities regularly happen. "This was a terrible tragedy, but sometimes 15 - these things just happen and there's nothing anyone can do to stop them," said programmer Ms. Carrie Kuhn, echoing statements 15 + these things just happen and there's nothing anyone can do to stop them," said programmer Miss Josefina Terry, echoing statements 16 16 expressed by hundreds of thousands of programmers who use the only language where 90% of the world's memory safety vulnerabilities have 17 17 occurred in the last 50 years, and whose projects are 20 times more likely to have security vulnerabilities. "It's a shame, but what can 18 18 we do? There really isn't anything we can do to prevent memory safety vulnerabilities from happening if the programmer doesn't want to