
OpenSSL Security Advisory - 26 Sep 2016 - ctz
https://www.openssl.org/news/secadv/20160926.txt
======
Panino
I use LibreSSL and just want to thank OpenBSD/LibreSSL devs for their great
work. It makes running TLS a lot less stressful for me, so thank you.

Also: thanks to Google for finding the bug, via honggfuzz.

------
nikic
Thankfully the RCE vulnerability is only in OpenSSL 1.1, which is probably not
commonly used yet.

Does the second issue imply that OpenSSL does not have any automated tests for
the CRL functionality?

------
eis
I think unfortunately by now it's high time that we get a complete replacement
written in a safer language and one that doesn't carry so much old baggage.
And no, LibreSSL is no such thing.

~~~
adekok
There is a _lot_ of room for improvement in the current OpenSSL code base.
Simple cleanups, for one. Code formatting. Removing duplicate code. Static
analysis. Unit tests.

The OpenSSL maintainers seem to be doing something _other_ than all that. The
historical defence for this was that they had minimal funding (which is no
longer true), and that the funding they did have was for adding new features.

That's just not an acceptable excuse. And it never was an acceptable excuse.

Cleaning up code should be part of normal software development. Re-factoring
code, adding unit tests, etc. Adding static analysis builds (clang is free,
and Coverity is free for open source projects).

It's 2016. Why are some people still using software practices from 1992?

~~~
e40
Has this been suggested to the OpenSSL devs? If so, what did they say? If not,
adekok, perhaps you can do that. You are 100% correct here.

~~~
adekok
That's pretty much what the LibreSSL people have done. And no, they didn't get
much response or buy-in.

------
mulander
[http://marc.info/?l=libressl&m=147490843900748&w=2](http://marc.info/?l=libressl&m=147490843900748&w=2)

    
    
        Just a quick note that LibreSSL is not impacted by either  
        of the issues mentioned in the latest OpenSSL security 
        advisory - both of the issues exist in code that was 
        added to OpenSSL in the last release, which is not 
        present in LibreSSL.

------
aorth
TL;DR from the lead developer Rich Salz, on Twitter:

 _openssl 1.1.0a had a use-after-free bug in its fix. :( 1.0.2 had a crash in
its fix. :( please update._

[https://twitter.com/RichSalz/status/780383148236541953](https://twitter.com/RichSalz/status/780383148236541953)

------
chillydawg
"woops". Good they caught it fast. Interesting it was from fuzzing rather than
direct inspection.

