
OpenBSD errata - mulander
https://marc.info/?l=openbsd-tech&m=144920913324251&w=2
======
trengrj
LibreSSL seemed to be pulling ahead with two of the OpenSSL vulnerabilities
not applicable.

It irks me that OpenSSL would keep a vulnerability from the LibreSSL team
since August. I hope people using OpenSSL will begin to switch over now.
LibreSSL has shown that it is no going away, and that it approaches security
in a far better way.

~~~
yuhong
I do wonder what LibreSSL is going to do about 1024-bit root removal.

------
Absentinsomniac
I just updated and recompiled everything a few days ago. Bad timing. Kinda
sucks that manual patching is a pain a lot of the time, but oh well,
dependencies will do that I guess.

------
jjuhl
Seems like the OpenBSD guys are a little bitter. And rightfully so. OpenSSL
has a lot of improvement work to do - both with their code base and their
collaboration efforts.

------
chx
> We did not merge this because it gave miod@ a bad feeling.

Not even sure what the right reaction to that is. On one hand, good for you
for skipping an insecure patch but on the other hand, only a bad feeling? You
didn't realize it's a security hole?

~~~
zeeboo
Neither did the people writing it, or merging it. Security isn't an obvious
property of code or there would be no security bugs. You have to rely on
heuristics, and in this case the heuristics were right.

------
jabiko
Looks like they have a typo in the CVE numbers.

CVE-2015-13XX should be CVE-2015-31XX.

~~~
jlgaddis
Yep, cited correctly in the actual errata though.

