[Ach] openssl again

Kurt Roeckx kurt at roeckx.be
Mon Jan 12 09:10:13 CET 2015


On Sun, Jan 11, 2015 at 05:09:18PM -0800, Seth wrote:
> On Sun, 11 Jan 2015 10:58:55 -0800, Kurt Roeckx <kurt at roeckx.be> wrote:
> >I see several options:
> >- You look from statements from libressl about it
> >  (Couldn't find any good source, the only statements I could find
> >   seems bogus.)
> >- You look at the patch and see if it applies.
> >
> >So I've actually been looking at it.  I see one source that claims
> >they fixed one of the issues.  (Actually reading what he says
> >seems to say that fixed all those issues in a single commit.)  But
> >if you actually look at the patch he points to it fixes a missing
> >SSLerr() call and doesn't fix anything else.
> >
> >In fact, for all those issues that I looked at, as far as I can see,
> >libressl is vulnerable and still didn't fix them.
> 
> I just found this tweet by Bob Beck claiming that they were pretty much all
> fixed in LibreSSL May 26th 2014.
> https://twitter.com/bob_beck/status/553233391164743682

Yes, and that points to the commit adding a missing SSLerr() call.


Kurt




More information about the Ach mailing list