John,
Can CS community decide that? From my point of view this is OS
distribution owner who does. OpenSSL is system package and you probably
can't skip it, unless you create your own Linux distribution.
Vadim.
On 2016-02-03 17:48, John Kinsella wrote:
Folks - another OpenSSL vulnerability was announced last week[1]. I
believe our current SSVMs are running Wheezy, so they should be OK
according to [2].
This makes me ponder, though: Should we consider moving to LibreSSL[3]
in the future? For those not familiar, it's a fork of OpenSSL with more
emphasis on cleaning up the code and improving the security of the
codebase.
From what I've seen so far, it should be a "drop in" replacement for
OpenSSL, but I haven't tested that theory out yet.
I originally brought this up on security@, but it was quickly pointed
out as it's not an actual vulnerability in ACS we should discuss in
public, so here we are.
Looking for thoughts, maybe somebody has experience moving from OpenSSL
to LibreSSL in another project?
John
1: https://www.openssl.org/news/secadv/20160128.txt
2: https://security-tracker.debian.org/tracker/CVE-2016-0701
3: http://www.libressl.org/
