At 11:30 3/17/2004, Mark J Cox wrote: >> according to NISCC Vulnerability Advisory 224012 ( >> http://www.uniras.gov.uk/vuls/2004/224012/index.htm ), there is also a >> third potential DoS that was found with this testing sweep: CVE >> CAN-2004-0081. quoting from the NISCC advisory: > >Absolutely, but that was fixed back in 0.9.6d a long time ago.
there appears to be a new CVE number corresponding to this issue. that either means that 1) the issue is really new to CVE and most people weren't aware of it and should be made so, regardless of whether a fix was slipped in long ago or 2) the CVE number is a dupe and should be marked as such.
do you know which case we have?
if the former, the OpenSSL folks have a duty to advise their users of the newly discovered vulnerability. as the NISCC advisory states the issue would "affect vendors that ship older versions of OpenSSL with backported security patches". if the latter, then the NISCC folks need to clear things up in their advisory.
cheers, marc
