They didn't mention anywhere whether or not CVE-2015-0207 was patched, so I'm left to assume it's still vulnerable (but hopefully a patch is being written for it).
> Log message: Fix several crash causing defects from OpenSSL.
Is there some reason they're obscuring the fact that these are security vulns? Trying to keep their 'street cred' intact? (undeadly.org even uses quotes around "crash-inducing" in their announcement, so it seems obvious this is unusual language)
Indeed. It will be embarrassing if the libreSSL turns out to be as buggy as its predcessor from the get go. Rewriting everything from a scratch does not necessary lead to better code unless methodologies change too. OpenBSD guys should open up their test suites (are there any) in order to gain credibility with their rewrite efforts.
It's not a security vulnerability in the traditional sense (eg: disclosue of secrets, failing to keep integrity), but crashes. That's what the commit log says (which is quite accurate). They're not saying it want's an issue or bug at all.
7 comments
[ 4.3 ms ] story [ 23.0 ms ] threadEvery day, LibreSSL looks more attractive. I should take the time to learn to compile PHP to hook into it instead of openssl.
Is there some reason they're obscuring the fact that these are security vulns? Trying to keep their 'street cred' intact? (undeadly.org even uses quotes around "crash-inducing" in their announcement, so it seems obvious this is unusual language)