[Ach] openssl again

Seth list at sysfu.com
Mon Jan 12 02:09:18 CET 2015

On Sun, 11 Jan 2015 10:58:55 -0800, Kurt Roeckx <kurt at roeckx.be> wrote:
> I see several options:
> - You look from statements from libressl about it
>   (Couldn't find any good source, the only statements I could find
>    seems bogus.)
> - You look at the patch and see if it applies.
> So I've actually been looking at it.  I see one source that claims
> they fixed one of the issues.  (Actually reading what he says
> seems to say that fixed all those issues in a single commit.)  But
> if you actually look at the patch he points to it fixes a missing
> SSLerr() call and doesn't fix anything else.
> In fact, for all those issues that I looked at, as far as I can see,
> libressl is vulnerable and still didn't fix them.

I just found this tweet by Bob Beck claiming that they were pretty much  
all fixed in LibreSSL May 26th 2014.  

More information about the Ach mailing list