https://mta.openssl.org/pipermail/openssl-announce/2016-January/000058.html
Here we go again.
>The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2f, 1.0.1r. These releases will be made available on 28th January between approx. 1pm and 5pm (UTC). They will fix two security defects, one of "high" severity affecting 1.0.2 releases, and one "low" severity affecting all releases.
Oh, FFS.
Here we go again. Hire some fucking competent programmers FFS.
>>52629968
Fuck off already.
>>52630077
Uncalled for.
>>52630257
No, you clearly are an uneducated faggot and your comment made no sense at all.
OpenSSL is a fuckhuge, very complex and always under scrutiny project, there will always be bugs in something like that no matter how good the programmers are.
Also, since shit is open source you can join the project and help them write better code.
why not use an alternative library? mbedtls?
>>52629954
L i b r e S S L
i
b
r
e
S
S
L
>>52629954
People still use OpenSSL?
WTF? Don't they know that it's unaudited garbage?
LibreSSL has been its successor since Heartbleed, and unlike OpenSSL it's actually constantly audited to make sure there aren't any major vulnerabilities.
>>52630389
I wasn't him, and without you going into why a comment doesnt made no sense is just you being lazy and cheap. Get off your high horse, stop shit posting, stop making ad hominem arguments, and stop suggesting random people to do better instead (closely related to an ad ignorantiam).
>>52630451
It's not unaudited, anon. The project just sucks.
>>52630452
Here comes the white knight.
>>52629954
>"high" severity affecting 1.0.2
And that's why your server should be on Debian stable$ apt-cache policy openssl
openssl:
Installed: 1.0.1k-3+deb8u2
Candidate: 1.0.1k-3+deb8u2
Version table:
*** 1.0.1k-3+deb8u2 0
500 http://http.debian.net/debian/ jessie/main amd64 Packages
500 http://security.debian.org/ jessie/updates/main amd64 Packages
100 /var/lib/dpkg/status
>>52630609
This.
>>52630609
No, being outdated is not better for security.
You should be on FreeBSD, which is run by the creators of LibreSSL, and thus is more secure anyway.
>>52630625
Mate, LibreSSL is being developed by the OpenBSD Project.
>>52630625
debian backports security fixes for older versions. We will soon see the "low" severity bug patched out in stable and the "high" severity was never there in the first place.
>>52630625
>You should be on FreeBSD, which is run by the creators of LibreSSL, and thus is more secure anyway.
What the hell are you on about?
From the libressl homepage:
>LibreSSL is supported financially by the OpenBSD Foundation and the OpenBSD Project. Please consider helping our efforts.
What the fuck does that have to do with FreeBSD?
>>52630639
Right, OpenBSD, that's what I meant.
>>52630452
>>52630257
Piss off you fucking faggot. The first reply in this thread is the most retarded piece of shit I've seen on 4chan today. The programmers ARE competent, the problem is the size of the project as well as the fact that it needs to be extremely multiplatform as well as secure. This is no easy task.
>>52630683
>buu huu muh open sores are really secure
kek
>>52630683
>What is reading comprehension?
I wasn't defending they weren't. I was defending
>>52629968 by pointing out that this >>52630077 comment was lazy and cheap without going into it further.
Again. Lay off, stop using insults as a cheap way to defend your assertion, stop shit posting, stop making ad hominem and ad ignorantiam fallacies by suggesting random people to do better themselves.
That's what happens when a bunch of under toe cheese eatering asswipes are put in charge of security. Wasn't their open sores code available for review for like almost 20 years?