FiloSottile

Patch: https://github.com/openssl/openssl/commit/70428eada9bc4cf314...

Advisory mirror: https://gist.github.com/FiloSottile/99ad6b52688f5a1f0a5fa200...

Preliminary analysis: https://news.ycombinator.com/item?id=11621038

CiPHPerCoder

    But it no longer
    checked that there was enough data to have both the MAC and padding
    bytes.
... I am beyond words.
pjmlp

Just the C usual stuff, but good bone coders use all the warnings and analyzers from gcc and clang and never commit such errors.

adrianN

I'm not sure whether you are sarcastic or not, but to me the seemingly endless amount of this kind of bug in high profile projects like OpenSSL is pretty good proof that nobody can write secure C.

CiPHPerCoder
What about https://github.com/jedisct1/libsodium then?

Very high profile, no CVEs found to date.

EDIT: Can't respond to lambda below.

I was responding to THIS assertion, not proposing libsodium as a general purpose openssl replacement: "nobody can write secure C."

To which I said, here's a project that's written in C that's apparently secure.