Well, according to (also unsourced, so no clue what the "real" story is) comments on the sister submisson [1] it is because LibreSSL doesn't want to take part in the embargo on reported vulnerabilities.
It is weird, two of them (CVE-2015-0288 and CVE-2015-0209) are listed here also with links to patches, https://security-tracker.debian.org/tracker/source-package/o...
Why have embargo on the vulnerabilities if you publish patches anyway? Which makes me think that the patches has not been committed yet and that the embargoed are different ones than these.
I can't say I feel comfortable with an announcement of "there's a vulnarability ranked high but we won't patch it until the 19th". I get why they do it that way and I prefer this announcement to nothing but it's still somewhat unsettling.
They obviously know a lot more about security than I do so I'll live with that decision.
It's less than ideal but the obvious remediation is to update OpenSSL. Of course, if there are any other remediations it would be nice to know about them sooner. I know I'll have customers bugging me before Thursday.
Oh great, egos is programming leading to worse security situations for everybody.
Yeah Theo they made a fork of your code because it was insecure - that doesn't mean you should hope for them to fail just so you can say "they had a bug too".
Also, I don't see how you can read any ill intent out of the email alone. It shouldn't be unreasonable for the OpenSSL devs to share vulnerabilities with LibreSSL. I don't think he would use it for any malicious purposes. Though I guess it makes you want to err on the side of caution when he comes up with such classics as declaring Apache 2.0 proprietary for no other reason that it has more lines of text than the previous version.
Not sure what he's saying. That the OpenSSL group are going to send the LibreSSL group vulnerabilities? That the LibreSSL group are about to disclose OpenSSL vulnerabilities? Just a bit confused!
Okay, a later story just appeared, I quote:
"This or earlier LibreSSL releases may also address issues that are to be revealed
by The OpenSSL Project Team on the 19th of March, 2015."
[+] [-] onestone|11 years ago|reply
http://marc.info/?l=openbsd-misc&m=142660009729096&w=2
[+] [-] noir_lord|11 years ago|reply
> Why? Well, they just don't. That's the whole story.
Then the story sucks, security of core components underlying the internet is bigger than any one group.
Respect for end users would indicate that a simple heads up of a high severity bug to someone on the LibreSSL team would be the way to go.
[+] [-] detaro|11 years ago|reply
[1] https://news.ycombinator.com/item?id=9216815
[+] [-] rlpb|11 years ago|reply
It's not the whole story. Here's the whole story:
http://lwn.net/Articles/601958/
"As it turns out, de Raadt had been asked if he wanted to join the distros list back in early May."
"[de Raadt:] So I'll decline."
[+] [-] raverbashing|11 years ago|reply
[+] [-] bdg|11 years ago|reply
[+] [-] some_furry|11 years ago|reply
https://github.com/openssl/openssl/compare/OpenSSL_1_0_1l......
https://github.com/openssl/openssl/compare/OpenSSL_1_0_2...O...
Some interesting commits:
https://github.com/openssl/openssl/commit/327de270d583e716bc...
https://github.com/openssl/openssl/commit/f5ee5213073870493a...
https://github.com/openssl/openssl/commit/51527f1e3564f210e9...
[+] [-] cjg_|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] kriro|11 years ago|reply
They obviously know a lot more about security than I do so I'll live with that decision.
[+] [-] TomMasz|11 years ago|reply
[+] [-] tomjen3|11 years ago|reply
Yeah Theo they made a fork of your code because it was insecure - that doesn't mean you should hope for them to fail just so you can say "they had a bug too".
[+] [-] shiggerino|11 years ago|reply
Also, I don't see how you can read any ill intent out of the email alone. It shouldn't be unreasonable for the OpenSSL devs to share vulnerabilities with LibreSSL. I don't think he would use it for any malicious purposes. Though I guess it makes you want to err on the side of caution when he comes up with such classics as declaring Apache 2.0 proprietary for no other reason that it has more lines of text than the previous version.
[+] [-] roghummal|11 years ago|reply
[deleted]
[+] [-] rikkus|11 years ago|reply
Okay, a later story just appeared, I quote:
This story is probably redundant now, then.[+] [-] tomaac|11 years ago|reply
[+] [-] bootload|11 years ago|reply
given obsd has/is doing a post heartbleed code review on OpenSSL since April 2014 to build LibreSSL [0] is it wise to assume this?
[0] http://arstechnica.com/information-technology/2014/04/openss...