This is not a fair comparison.

LibreSSL forked OpenSSL 1.0.1. Therefore LibreSSL would never have been vulnerable to issues that did not affect 1.0.1 - since those arose after the codebases split. A fairer comparison would be to compare issues that affected OpenSSL 1.0.1 with LibreSSL. You also should not include CVE-2015-0204 since that is just a reclassification of a previously fixed defect. Simillarly CVE-2015-0292 was a historic issue not in recent versions of OpenSSL so also should not be included. By the time you remove all of those you get down to one issue that affected OpenSSL but not LibreSSL:

DoS via reachable assert in SSLv2 servers (CVE-2015-0293) - Severity: Moderate

This issue also did not affect the current development version of OpenSSL only historic versions due to clean ups the OpenSSL team have been doing.

First of full disclosure...I am a member of the OpenSSL development team.

I've read a lot of anti-OpenSSL comments here along with some fairly amusing conspiracy theories! Some criticism is fair but much is not in my view.

OpenSSL is a very different project to what it was a year ago. This time last year the development team was very small (6 people...not all of whom were active coders, most of whom were doing it in their spare time). Supporting the project was (and still is) a thankless task, and they did their best - but frankly the resources were not there to do the job properly. There is now a whole new team, built upon the original, running the project. We have gone from 6 people to 15 and brought on board a number of full timers. I know most of that team personally, and I can tell you that you couldn't hope to find a more dedicated and experienced team. There is a strong sense of responsibility, along with lots of plans in place for how to make things better.

A lot is said about the problems with OpenSSL. Let me tell you about some of its strengths. The library will run on practically anything from desktops, to high end servers, to embedded devices, to mainframes, to mobile phones. It is highly optimised and is *fast*. We are lucky enough to have Andy Polyakov on the team who brings an exceptional talent in performing those optimisations. Due to its position in the market place OpenSSL is probably the most studied security software product out there. That study has intensified since Heartbleed. During the last year there have been a number of security issues identified and fixed as a result of that intensified study. This is a *good* news story.

I am really excited about what the future holds for the project. We are busy working on 1.1.0, which brings with it a focus on reducing complexity. Improved documentation (which I've seen mentioned a number of times on this page) is also on our roadmap. I'm not complacent...I know there is a lot still to do...but I have a huge amount of confidence in the team that is now in place.

If you are using OpenSSL as a client then you are vulnerable. On the server side the bug is till there but there is no known way of exploiting it prior to 1.0.1. You are still recommended to upgrade - but ubuntu will provide the relevant fixes.

My son has used this book, and I can thoroughly recommend it. It leads the kid through programming by getting them to write various games in python - increasing in complexity throughout. When I was kid learning to program, writing games is what I first wanted to do. The book gets the tone just right, and I think my son has enjoyed working with it.

Goodbye Anne. RIP.

SNAP! Well almost snap. I don't like coffee (or tea), or smoking. I like beer, but turned teetotal 2.5 years ago for health reasons. Also don't do drugs (or religion, so being a mormon is definitely off).

Now, I'll just sit here by myself, reading slashdot and drinking my water. I'm enjoying myself dammit!!