TLS verification vulnerability in LibreSSL 2.5.1-2.5.3

Here&#x27;s the referenced commit for the interested: <a href="https:&#x2F;&#x2F;github.com&#x2F;libressl-portable&#x2F;openbsd&#x2F;commit&#x2F;ddd98f8ea741a122952185a36c1396c14c2fda74#diff-027facc0b7c35aa46b0e8fa7b467f1c4" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;libressl-portable&#x2F;openbsd&#x2F;commit&#x2F;ddd98f8e...</a><p>To be honest I&#x27;m kinda surprised that even after the &#x27;goto fail&#x27; story people still write code in this questionable style(I know this particular issue is not stemming from the lack of curly braces, but still).

The severity of this issue is being overplayed, some programs were returning 1 in callbacks, a lot of software in the wild interpreted it the way LibreSSL did and hence the attempt at error sanitization. There are patches out for OpenBSD 6.1, LibreSSL 2.5.4 contains the fix.<p><a href="https:&#x2F;&#x2F;www.openbsd.org&#x2F;errata61.html" rel="nofollow">https:&#x2F;&#x2F;www.openbsd.org&#x2F;errata61.html</a><p><a href="https:&#x2F;&#x2F;ftp.openbsd.org&#x2F;pub&#x2F;OpenBSD&#x2F;LibreSSL&#x2F;libressl-2.5.4-relnotes.txt" rel="nofollow">https:&#x2F;&#x2F;ftp.openbsd.org&#x2F;pub&#x2F;OpenBSD&#x2F;LibreSSL&#x2F;libressl-2.5.4-...</a><p>OpenBSD 6.1 users can now also run syspatch(8).

Who uses LibreSSL on production or in their apps?

Does this affect users of libtls?