Announcement

**opensource** · 20 March 2015, 12:34 PM

Originally posted by http://undeadly.org/cgi?action=article&sid=20150319145126

However, the impact on the OpenBSD-initated LibreSSL project's code -- which has undergone extensive cleanup since LibreSSL forked off OpenSSL's code base in 2014 -- appears to be limited. Out of a total of 13 CVEs in OpenSSL's announcement, only five - CVE-2015-0207, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289 and CVE-2015-0209, still applied to LibreSSL's code.

The main takeaway from the announcement appears to be that the cleanup has been effective, however these 'crash-inducing' issues have now been fixed in LibreSSL:

CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
CVE-2015-0287 - ASN.1 structure reuse memory corruption
CVE-2015-0289 - PKCS7 NULL pointer dereferences

And the OpenBSD guys are right again, even if some people don't like their fork. I like LibreSSL and its mentality/strategy. The ones who don't like the fork may stop using OpenSSH. Oh, wait, you like how secure OpenSSH is and stuff? Well, the same guys try to do it with LibreSSL as much as they can and that's good, also making it more lightweight and fortunately without native windows support. One might argue about its name though.

**KernelPanic** · 25 March 2015, 04:40 PM

If you're up for some experimentation, you can make libressl the default on FreeBSD.

https://wiki.freebsd.org/LibreSSL

Code:

To build ports against LibreSSL, add the following lines to /etc/make.conf

# Build ports against security/libressl
WITH_OPENSSL_PORT=      yes
OPENSSL_PORT=           security/libressl

Most ports will build without issue, some need fixing.

Announcement

Latest OpenSSL Vulnerabilities Revealed; LibreSSL In Better Shape

Latest OpenSSL Vulnerabilities Revealed; LibreSSL In Better Shape

Comment

Comment