There were more problems found in OpenSSL… right after release of DragonFly 3.8. OpenSSL 1.0.1h has been committed, thanks to Robin Hahling and Sascha Wildner. I’ll be rolling a 3.8.1 release soon.
If you are saying “Hey, what about LibreSSL? And do I write it LibReSSL?”, it’s not set up as a portable release yet. Also, I don’t know the correct capitalization, either. There is some debate about the lack of notification from OpenSSL to LibreSSL, though other vendors were notified days before.
I’d heavily discourage anyone from updating to newer OpenSSL versions as new features may be potential new issues. Exploitable code seems to pop up with an alarming rate in releases.
What’s the alternative if you’ve already got a version with known issues?
My question about libressl, is it affected by these same issues that were pointed out this week?
I am not sure – I have been watching the OpenBSD commits, but I haven’t seen it… but then again, unless the commit message started with a big “this is for this problem” note, I may have skated right by it.
I find it odd why OpenBSD was not notified, people uses it in production systems.
I hope dragonfly will switch to libressl, when it is ready..
.
There’s always the option of backporting the actual vulnerability fixes (usually only a couple of lines). It’s unclear how secure and trustworthy the library really is at this point, but that’s a decision maintainers/projects needs to make for its users.
BTW, LibReSSL was also affected, and of course older versions of OpenBSD still run with normal OpenSSL, so these are affected too.
Here’s the patch for reference: https://bitbucket.org/braindamaged/openbsd-src/commits/9a2a133d99
OpenBSD was apparently not formally notified because it was not on some list. One OpenBSD lead developer also wrote that he didn’t wish to be added to that list for time constraints: http://marc.info/?l=oss-security&m=139906348230995