On Wed, Jul 31, 2002 at 09:29:14PM +0000, Tina Bird wrote: > The vendors listed in the CERT advisory on the OpenSSL vulnerabilities are > all producing server-side software: > > http://www.cert.org/advisories/CA-2002-23.html > > Does anyone know if Netscape, Opera, Internet Explorer or any of the other > browsers are vulnerable to these issues? > This from a post by Opera developer Espen Sand on news://opera.linux : > From: Espen Sand <espen@opera.com> > Newsgroups: opera.linux > Subject: Re: openssl bug also in Opera? > Date: Wed, 31 Jul 2002 15:37:17 +0200 > Message-ID: <3D47E80D.93BA4EE6@opera.com> > References: <3D47BD5D.A2A03F8F@informatik.uni-kiel.de> > > Frank Steiner wrote: > > > > Hi, > > > > is Opera affected by the openssl bug that was just announced, or do you use > > a different SSL implementation? > > I asked our security master and here is the reply: > > <reply> > The only relevant part for Opera is the ANS1 issue in the second advisory. > The other information concerns their SSL implementation, code that we are > not using at all. > > I have the relevant patches but I do not believe the patches are vital for > anything but 64-bit systems. The affected buffers in our code are 16 bytes > long, and would in the patched version become 12 bytes long for 32 bit > ints/longs and pointers. > > These problems will in any case be fixed when I upgrade to the newest > OpenSSL 0.9.7 release (presently in beta 3) on main branch. > </reply> > > > -- > Espen Sand > espen@opera.com hth -troy