[fulafel]

For example, OpenSSH.

[bondant]

Does OpenSSH use OpenSSL? I thought they migrated to LibreSSL.

[fulafel]

The Ubuntu 22.04 LTS openssh-server package seems to depend on libss3 which is built from OpenSSL:

https://packages.ubuntu.com/jammy/openssh-server -> https://packages.ubuntu.com/jammy/libssl3 -> https://packages.ubuntu.com/source/jammy/openssl

Apparently there are some problems with LibreSSL on Linux: https://lwn.net/Articles/841664/

(Also, do we know that LibreSSL is unaffected?)

[Lex-2008]

The globalsign atricle says:

> If you’re using version 1.1.1, this vulnerability doesn’t affect you

AFAIK, LibreSSL forked even before that - when OpenSSL was version 1.0 or 0.9 even. So likely not affected - unless a similar issue appeared there after the fork.

[fulafel]

Parallel forks sometimes keep incorporating quite a lot of changes from each other, in the *BSD fork tradition. I'd also guess that LibreSSL is not affected but it's not a foregone conclusion.

In the previous OpenSSH vs OpenSSL 3 bug it went like this:

> The issue has been identified in OpenSSL version 3.0.4, which was released on June 21, 2022, and impacts x64 systems with the AVX-512 instruction set. OpenSSL 1.1.1 as well as OpenSSL forks BoringSSL and LibreSSL are not affected. (https://thehackernews.com/2022/06/openssh-to-release-securit...)

[yakubin]

I'd expect higher quality code review from OpenBSD folks (who maintain LibreSSL), compared to OpenSSL.

Also, an interesting talk: LibreSSL: The first 30 days, and what the Future Holds from BSDCan: <https://www.youtube.com/watch?v=oM6S7FEUfkU>