No announcement yet.

Latest OpenSSL Vulnerabilities Revealed; LibreSSL In Better Shape

  • Filter
  • Time
  • Show
Clear All
new posts

  • Latest OpenSSL Vulnerabilities Revealed; LibreSSL In Better Shape

    Phoronix: Latest OpenSSL Vulnerabilities Revealed; LibreSSL In Better Shape

    The latest OpenSSL security vulnerabilities were made public today with four CVEs being addressed...

  • #2
    Originally posted by
    However, the impact on the OpenBSD-initated LibreSSL project's code -- which has undergone extensive cleanup since LibreSSL forked off OpenSSL's code base in 2014 -- appears to be limited. Out of a total of 13 CVEs in OpenSSL's announcement, only five - CVE-2015-0207, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289 and CVE-2015-0209, still applied to LibreSSL's code.

    The main takeaway from the announcement appears to be that the cleanup has been effective, however these 'crash-inducing' issues have now been fixed in LibreSSL:

    CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
    CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
    CVE-2015-0287 - ASN.1 structure reuse memory corruption
    CVE-2015-0289 - PKCS7 NULL pointer dereferences
    And the OpenBSD guys are right again, even if some people don't like their fork. I like LibreSSL and its mentality/strategy. The ones who don't like the fork may stop using OpenSSH. Oh, wait, you like how secure OpenSSH is and stuff? Well, the same guys try to do it with LibreSSL as much as they can and that's good, also making it more lightweight and fortunately without native windows support. One might argue about its name though.


    • #3
      If you're up for some experimentation, you can make libressl the default on FreeBSD.
      To build ports against LibreSSL, add the following lines to /etc/make.conf
      # Build ports against security/libressl
      WITH_OPENSSL_PORT=      yes
      OPENSSL_PORT=           security/libressl
      Most ports will build without issue, some need fixing.