

OpenSSL Security Advisories – LibreSSL Largely Unaffected - fcambus
http://undeadly.org/cgi?action=article&sid=20150319145126

======
some_furry
They didn't mention anywhere whether or not CVE-2015-0207 was patched, so I'm
left to assume it's still vulnerable (but hopefully a patch is being written
for it).

~~~
parfe
The patch for this issue is integrated in LibreSSL 2.1.6:

    
    
         * CVE-2015-0207 - Segmentation fault in DTLSv1_listen
             LibreSSL is not vulnerable, but the fix was safe to merge.
    

[http://marc.info/?l=openbsd-
tech&m=142677928417277&w=2](http://marc.info/?l=openbsd-
tech&m=142677928417277&w=2)

~~~
some_furry
Oh, thank you very much.

Every day, LibreSSL looks more attractive. I should take the time to learn to
compile PHP to hook into it instead of openssl.

------
peterwwillis
_> Log message: Fix several crash causing defects from OpenSSL._

Is there some reason they're obscuring the fact that these are security vulns?
Trying to keep their 'street cred' intact? (undeadly.org even uses quotes
around "crash-inducing" in their announcement, so it seems obvious this is
unusual language)

~~~
kymywho
Indeed. It will be embarrassing if the libreSSL turns out to be as buggy as
its predcessor from the get go. Rewriting everything from a scratch does not
necessary lead to better code unless methodologies change too. OpenBSD guys
should open up their test suites (are there any) in order to gain credibility
with their rewrite efforts.

