[Ach] openssl again

Seth list at sysfu.com
Mon Jan 12 02:09:18 CET 2015


On Sun, 11 Jan 2015 10:58:55 -0800, Kurt Roeckx <kurt at roeckx.be> wrote:
> I see several options:
> - You look from statements from libressl about it
>   (Couldn't find any good source, the only statements I could find
>    seems bogus.)
> - You look at the patch and see if it applies.
>
> So I've actually been looking at it.  I see one source that claims
> they fixed one of the issues.  (Actually reading what he says
> seems to say that fixed all those issues in a single commit.)  But
> if you actually look at the patch he points to it fixes a missing
> SSLerr() call and doesn't fix anything else.
>
> In fact, for all those issues that I looked at, as far as I can see,
> libressl is vulnerable and still didn't fix them.

I just found this tweet by Bob Beck claiming that they were pretty much  
all fixed in LibreSSL May 26th 2014.  
https://twitter.com/bob_beck/status/553233391164743682



More information about the Ach mailing list