Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Good that OS X will update to a more recent version in El Capitan and also switch to LibreSSL (great step forward).

Not sure if you're being sarcastic?

"LibreSSL has the affected code and is thought to be vulnerable (untested)." - https://jbp.io/2015/06/11/cve-2015-1788-openssl-binpoly-hang...



They released updates today that fix cve-2015-1788.

https://github.com/libressl-portable/portable/blob/master/Ch...


Can you explain why LibreSSL is a bad choice for the next OS X version? Maybe OpenSSL & LibreSSL are not fixed on exactly the same day (but around the same time region) but this is not bad IMHO.


Simply saying with regards to this issue it didn't provide advance protection (that was my impression after reading the comment anyhow)


You claimed that LibreSSL is a great step forward, but there's no reason to think that it's a "great step".


> there's no reason

The last time a bunch of OpenSSL CVEs dropped, there were 14 of them; two of which were rated sev: High. LibreSSL was affected by 5 out of the 14, none of which were high-severity.

This time around there are seven vulnerabilities and LibreSSL is affected by four of them[1].

So there's at least 12 reasons.

    [0] https://marc.info/?l=openbsd-cvs&m=142677372515025&w=2
    [1] https://marc.info/?l=openbsd-announce&m=143406498020131&w=2


There were 7 CVEs of which 4 were applicable to LibreSSL, including the one in that link.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: