Re: [issue823] openssl buffer overflow.

["Simon 'corecode' Schubert" <corecode@xxxxxxxxxxxx>]

ejc wrote:
> On 10/4/07, Matthew Dillon <dillon@apollo.backplane.com> wrote:
>> :Simon 'corecode' Schubert <corecode@fs.ei.tum.de> added the comment:
>> :
>> :We have 0.9.8e in the tree.  As far as I can tell, this should not be
>> :affected -- at least from looking at the CVE summaries.  They all only
>> :talk about <=3D 0.9.8d.  Unfortunately openssl.org doesn't really publish
>> :security issues (in a prominent place).
>> :
>> :cheers
>> :  simon
>>
>>     Ok, I'd appreciate it if someone could check that patch I posted against
>>     what we have in the tree to determine whether our version is ok or not.
>>
>>     Yah, yah, I could do it myself, but I'm trying to push for wider
>>     participation here :-)
> 
> The patch applies to our codebase.  I'm trying to ascertain whether or
> not 0.9.8e is affected and it seems it should be -- the function in
> question is identical between 0.9.8d and 0.9.8e.  The function doesn't
> appear to be used very much, so it's probably a low-exposure
> vulnerability, but that's not really the point, is it? :-)  From the
> openssl cvs logs, they've checked the fix in on all the branches, but
> haven't cut a new release yet, so 0.9.8e is probably vulnerable.

So why does CVE have misleading information then?  Are openssl expecting
everybody to apply a patch instead of them just cutting a new release?

cheers
  simon