[Ach] openssl again
kurt at roeckx.be
Mon Jan 12 09:10:13 CET 2015
On Sun, Jan 11, 2015 at 05:09:18PM -0800, Seth wrote:
> On Sun, 11 Jan 2015 10:58:55 -0800, Kurt Roeckx <kurt at roeckx.be> wrote:
> >I see several options:
> >- You look from statements from libressl about it
> > (Couldn't find any good source, the only statements I could find
> > seems bogus.)
> >- You look at the patch and see if it applies.
> >So I've actually been looking at it. I see one source that claims
> >they fixed one of the issues. (Actually reading what he says
> >seems to say that fixed all those issues in a single commit.) But
> >if you actually look at the patch he points to it fixes a missing
> >SSLerr() call and doesn't fix anything else.
> >In fact, for all those issues that I looked at, as far as I can see,
> >libressl is vulnerable and still didn't fix them.
> I just found this tweet by Bob Beck claiming that they were pretty much all
> fixed in LibreSSL May 26th 2014.
Yes, and that points to the commit adding a missing SSLerr() call.
More information about the Ach