|
|
|
|
|
|
by glass-
3901 days ago
|
|
|
LibreSSL has had roughly half (22 to 43) as many vulnerabilities as OpenSSL since the fork and, before this, 0 sev:high, compared to OpenSSL's 5 sev:high. Would you really disregard all that because of a 1-byte buffer overflow and a memory leak? |
|
|
CVE-2015-0204 affected LibreSSL, but they thought it was a low priority vulnerability, when it actually is a high priority. They fixed it, didn't notify upstream afaict and just issued a new release.
LibreSSL isn't a panacea, and based on that, they can't even classify vulnerabilities correctly.
Most of the vulnerabilities in OpenSSL are in parts (e.g. DTLS) which are disabled in lots of builds.