LibreSSL can't be used everywhere OpenSSL is currently used. Notably (and intentionally) missing is FIPS 140-2 support, which most (almost all?) commercial product that uses OpenSSL will rely upon for selling a FIPS 140-2 compliant or validated product.
Personally, I find Network Security Services (NSS) much better designed than OpenSSL/LibreSSL and wish more things would use it. Notably better is the use of an actual database to store objects. This really helps when you are using certificate revocation lists (CRLs) which may be huge blobs that change frequently.
Wasn't there recently an announcement that OpenSSL was planning on removing FIPS 140 support in the near future and possible add it back at a later point in time?
in some case, if you're able to switch libraries, you might also be able to switch languages and therefore skip on future issues inherent to C. Consider for example: https://golang.org/pkg/crypto/tls/
Glad they are fixing these but damn it is scary every time I see OpenSSL in a headline anymore.
btw
HIGH Severity.
This includes issues that are of a lower risk than critical,
perhaps due to affecting less common configurations,
or which are less likely to be exploitable.
These issues will be kept private and will trigger
a new release of all supported versions.
I wonder what kind of new internet will emerge from the ashes of everything we've been using since the 1970s, when it finally all goes up in flames in the next few years.
You'll need a really, really, really massive meltdown before people are willing to fork over the money necessary to restart from scratch. Not even nuclear meltdowns have historically convinced people to do that. Not even global warming is convincing people to do that.
It's kind of unsettling to know there is a known vulnerability (at least known to some) out there and is going to stay unpatched for a couple of days. On the other hand, it is kind of nice to be able to brace for it mentally.
Does anybody know why the update is announced a couple of days in advance? Are e.g. maintainers of corresponding packages in Linux distros or *BSD given access to the code ahead of time so they can build new packages?
The early announcement allows our sysadmins to plan to work during those hours, and for the rest of our org to know that we'll have rolling infrastructure downtime, and that isn't the best time to plan a new feature launch etc.
presumably, the newly released code might teach malicious users what vulnerabilities are there, which in turn makes everyone who didn't patch quickly vulnerable.
By announcing in advance what is going to happen, people can be ready to update as soon as the patch is available.
It is possible that some vulnerabilities affected both LibreSSL and OpenSSL. In those cases, the total would be smaller than the sum of its parts. However, that is just speculation on my part.
Support the OpenBSD team:
http://www.openbsdfoundation.org/campaign2016.html
that makes the LibreSSL.