DragonFly bugs List (threaded) for 2007-10
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]
Re: [issue823] openssl buffer overflow.
Simon 'corecode' Schubert wrote:
> ejc wrote:
>> On 10/4/07, Matthew Dillon <dillon@apollo.backplane.com> wrote:
>>> :Simon 'corecode' Schubert <corecode@fs.ei.tum.de> added the comment:
>>> :
>>> :We have 0.9.8e in the tree. As far as I can tell, this should not be
>>> :affected -- at least from looking at the CVE summaries. They all only
>>> :talk about <=3D 0.9.8d. Unfortunately openssl.org doesn't really publish
>>> :security issues (in a prominent place).
>>> :
>>> :cheers
>>> : simon
>>>
>>> Ok, I'd appreciate it if someone could check that patch I posted against
>>> what we have in the tree to determine whether our version is ok or not.
>>>
>>> Yah, yah, I could do it myself, but I'm trying to push for wider
>>> participation here :-)
>> The patch applies to our codebase. I'm trying to ascertain whether or
>> not 0.9.8e is affected and it seems it should be -- the function in
>> question is identical between 0.9.8d and 0.9.8e. The function doesn't
>> appear to be used very much, so it's probably a low-exposure
>> vulnerability, but that's not really the point, is it? :-) From the
>> openssl cvs logs, they've checked the fix in on all the branches, but
>> haven't cut a new release yet, so 0.9.8e is probably vulnerable.
>
> So why does CVE have misleading information then? Are openssl expecting
> everybody to apply a patch instead of them just cutting a new release?
I see. CVE has a wrong summary. We are vulnerable, openssl didn't cut
a new release yet. See [1] (i.e. 0.9.8e *is* vulnerable).
I'd actually wait for a couple of days before adding the patch to -HEAD.
Patch can go directly to the release branches.
cheers
simon
[1] http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[
Date Index][
Thread Index]