1. 10
  1.  

  2. 7

    I really wish they had given the LibreSSL peeps more than just twenty-four hours notice. With HardenedBSD making LibreSSL a first-class citizen, it’s kinda frustrating to me that LibreSSL was left out to dry.

    I wonder what reasoning OpenSSL had for not disclosing sooner to LibreSSL.

    1. 3

      Is LibreSSL vulnerable to 6309? I can’t find the commit that fixed 6307, and all the relevant code has moved around so it’s hard (for me, at least) to tell if they have this or not.

      1. 11

        http://marc.info/?l=libressl&m=147490843900748&w=2

        Just a quick note that LibreSSL is not impacted by either of the issues mentioned in the latest OpenSSL security advisory - both of the issues exist in code that was added to OpenSSL in the last release, which is not present in LibreSSL.

        1. 2

          I was wondering the same about BoringSSL. We get security advisories about OpenSSL and not about the forks.

          1. 1

            I haven’t the slightest idea. I haven’t kept up with LibreSSL on a commit-by-commit basis. Bernard Spil is our resident LibreSSL expert.