CVE-2017-8301 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-8301): LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSL_get_verify_result is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx.
Fix is reverting commit ddd98f8ea741a122952185a36c1396c14c2fda74[1] as per [2], as we did in Alpine[3]. [1]: https://github.com/libressl-portable/openbsd/commit/ddd98f8ea741a122952185a36c1396c14c2fda74 [2]: https://github.com/libressl-portable/portable/issues/307#issuecomment-297200962 [3]: https://git.alpinelinux.org/cgit/aports/commit/?id=500f378f52a862e91c61de633df00197d4afd366
FYI, libressl released portable version 2.5.4 yesterday, which contains a fix for this CVE, as per the Github issue linked in comment 1.
@ Maintainer(s): Please drop =dev-libs/libressl-2.5.3!
(In reply to Thomas Deutschmann from comment #3) > @ Maintainer(s): Please drop =dev-libs/libressl-2.5.3! i've dropped 2.5.3