OpenBSD Journal

LibreSSL not affected by DROWN attack

Contributed by phessler on from the super-duper-tuesday dept.

As noted by Bernard Spil, the OpenSSL bugs disclosed on 2016-03-01 have very little impact on LibreSSL, especially on OpenBSD. However, we will briefly mention the two high-profile issues:

  • LibreSSL (on any platform) is not affected by DROWN. Support for SSLv2 was flensed out quite a while ago.
  • Cachebleed is local-only, and requires a lot effort to get. This is thought to be very difficult to exploit on OpenBSD due to many of the normal mitigations on an OpenBSD system. Other systems without such mitigations may not be so lucky.
  • (Comments are closed)


    1. By Noryungi (noryungi) noryungi@yahoo.com on

      Does that mean we will still get a patch for the "Cachebleed", even if it is only a local vulnerability?

      1. By Anonymous Coward (82.68.199.130) on

        > Does that mean we will still get a patch for the "Cachebleed", even if it is only a local vulnerability?

        It is being looked at, but cannot be rushed as a mistake in fixing this could result in a much bigger problem.

        Read the FAQ (https://ssrg.nicta.com.au/projects/TS/cachebleed/) especially Q5.

        1. By Anonymous Coward (83.97.184.235) on

          "If you risk freedom or life by speaking up, leave empty (gets posted as Anonymous Coward), otherwise take credit and responsiblity for your words (you do think it's worth submitting, after all)"




          Publish a anonymous message makes one a coward in this community? I think what is really coward is to do it with a fake name. It has been probed that the anonymity is more good synonymous with humility; and humility is condition, in my opinion, without which no one can be honest.

    2. By Anonymous Coward (89.163.220.14) on

      You know the bugs get serious when they are given names which have to do with misadventure, death, serious injury, fluffy animals, or a combination of such items.

    Credits

    Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]