Prepare yourself: more problems with OpenSSL

[cooper]

http://marc.info/?l=openssl-announce&m=142653572011212

We'll discover on the 19th what's really up, but whatever it is, they think it's serious.

[ZaraByte]

I was using SSL on my site for awhile but all the moving around i do i gave up using it. People come to my site i guess for one main reason to leech and leave.

[cooper]

Of course, but be aware that any communication you have that doesn't travel the line as plain text has I would say at least a 90% chance of using OpenSSL for the crypto. The question isn't really "is this going to hurt" but "how much is this going to hurt". Our support staff here is on standby, waiting for the announcement so we can quickly move on the appropriate response.

[cooper]

And the advisory is out: http://openssl.org/news/secadv_20150319.txt
In all, nothing particularly shocking. A few DoS attack options which, while annoying, shouldn't pose that much of a problem anywhere.

Associated CVE's (as they appear in the advisory, so in order of severity):
CVE-2015-0291 NVD
CVE-2015-0204 NVD
CVE-2015-0290 NVD
CVE-2015-0207 NVD
CVE-2015-0286 NVD
CVE-2015-0208 NVD
CVE-2015-0287 NVD
CVE-2015-0289 NVD
CVE-2015-0292 NVD
CVE-2015-0293 NVD
CVE-2015-1787 NVD
CVE-2015-0285 NVD
CVE-2015-0209 NVD
CVE-2015-0288 NVD

What I want to know is how many of these apply to LibreSSL, if any. A number of these sound like things those folks would've ripped out in the early post-fork days.

Edited March 19, 2015 by Cooper