Re: foss
Closed source has exactly the same issues you just can't:
- Know exactly where those issues are unless you have a code access agreement or are very good at working with binaries.
- Can't see what a vendor did to fix a problem and thus be sure they A: actually fixed it, B: didn't create more problems in the process.
- Can't fix really old legacy versions that the vendor no longer supports but you depend on.
etc etc.
Humans make mistakes. It's unfortunate but we can't avoid ever making mistakes. The most important thing is to be able to recover from the mistakes. All of the vendors that shipped broken versions of OpenSSL should have put out an update by now. If the setup you are running doesn't have an update you can compile a newer version of OpenSSL or if a newer version won't work on your setup you can backport the fix (I don't think there are any systems out there running the broken versions that couldn't compile the latest though) to a version that works on your system.
All of this "hah! I told you open source is crap" bleh bleh is nonsense either way. Closed source products have been using favourably licensed open source components forever. If closed source vendors really cared there wouldn't be tons of different TLS implementations that are ALL broken in different ways.