In case you missed it:
https://www.openssl.org/news/vulnerabilities.html
LibreSSL has fixed a number of those issues already, and only 4 issues
still applied.
Since we started working on LibreSSL, I believe that this is one of
the first major milestons in terms of reflection of the quality of our
work.
Quote from LibreSSL release page:
This release primarily addresses a number of security issues in coordination
with the OpenSSL project.
Fixes for the following issues are integrated into LibreSSL 2.1.6:
* CVE-2015-0286 - Segmentation fault in ASN1_TYPE_cmp
* CVE-2015-0287 - ASN.1 structure reuse memory corruption
* CVE-2015-0289 - PKCS7 NULL pointer dereferences
* CVE-2015-0209 - Use After Free following d2i_ECPrivatekey error
* CVE-2015-0288 - X509_to_X509_REQ NULL pointer deref
The patch for this issue is integrated in LibreSSL 2.1.6:
* CVE-2015-0207 - Segmentation fault in DTLSv1_listen
LibreSSL is not vulnerable, but the fix was safe to merge.
The following issues were addressed in earlier LibreSSL releases:
* CVE-2015-0204 - RSA silently downgrades to EXPORT_RSA
Fixed in LibreSSL 2.1.2 - reclassifed from low to high,
* CVE-2015-0292 - Fault processing Base64 decode
Fixed in LibreSSL 2.0.0
* CVE-2015-1787 - Empty CKE with client auth and DHE
Fixed in LibreSSL 2.0.1
The following issues did not apply to LibreSSL 2.1.6:
* CVE-2015-0291 - OpenSSL 1.0.2 ClientHello sigalgs DoS
Affected code is not present.
* CVE-2015-0290 - Multiblock corrupted pointer
Affected code is not present.
* CVE-2015-0208 - Segmentation fault for invalid PSS parameters
Affected code is not present.
* CVE-2015-0293 - DoS via reachable assert in SSLv2 servers
Affected code is not present.
* CVE-2015-0285 - Handshake with unseeded PRNG
Cannot happen by the design of the LibreSSL PRNG.
--
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
Received on Sun Mar 22 2015 - 11:15:57 PST