Folks - another OpenSSL vulnerability was announced last week[1]. I believe our current SSVMs are running Wheezy, so they should be OK according to [2].
This makes me ponder, though: Should we consider moving to LibreSSL[3] in the future? For those not familiar, it’s a fork of OpenSSL with more emphasis on cleaning up the code and improving the security of the codebase. From what I’ve seen so far, it should be a “drop in” replacement for OpenSSL, but I haven’t tested that theory out yet. I originally brought this up on security@, but it was quickly pointed out as it’s not an actual vulnerability in ACS we should discuss in public, so here we are. Looking for thoughts, maybe somebody has experience moving from OpenSSL to LibreSSL in another project? John 1: https://www.openssl.org/news/secadv/20160128.txt 2: https://security-tracker.debian.org/tracker/CVE-2016-0701 3: http://www.libressl.org/
