OpenSSL Patches Eight New Vulnerabilities

itwbennett writes: Server administrators are advised to upgrade OpenSSL again to fix eight new vulnerabilities, two of which can lead to denial-of-service (DoS) attacks. Although the flaws are only of moderate and low severity, "system administrators should plan to upgrade their running OpenSSL server instances in the coming days," said Tod Beardsley, engineering manager at vulnerability intelligence firm Rapid7.

Re:Time to switch to LibreSSL

If you had been paying attention you'd know that OpenSSL gets bugs reported, LibreSSL fixes them while OpenSSL stands around with their collective dick in their hands.

Re:Sick of this

Of course it did, it is a fork (copy) of OpenSSL.

However, one or two of the issues were fixed in LibreSSL back in May, before being discovered in OpenSSL.
They were fixed as part of the general code quality improvement, and cleaning up the error handling and memory management.

https://twitter.com/bob_beck/status/553233391164743682

Re:Time to switch to LibreSSL

Because all commits have to be approved by the top team; Who, again, stand around with their dicks in their hands. Doesn't matter how fast you are to help them, but until one approves it, it isn't fixed.

Re:Fork OpenSSL to OpenTLS

[greg1104]

Been tried already; see gnutls. We tried to switch from OpenSSL to gnutls as the preferred SSL library for PostgreSQL a few years back, even got some press coverage documenting the whole thing. But, sadly, OpenSSL has too many quirky APIs to make a transition away from it easy. And anyone who tries to be "bug compatible" creating a replacement to that mess is going to inherit some of the same bad design that needs to be burned with fire.