regarding the vulnerability CVE-2015-1788

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 02/07/15 13:28, Jaya Nageswar wrote:
> Dear openssl users,
> 
> I have a question regarding the vulnerability CVE-2015-1788.
> 
> At http://openssl.org/news/secadv_20150611.txt, I would like to get the
> clarification on the follwing statement.
> 
> This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
> 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are affected.
> 
> I would like to know in which version of 0.9.8, this vulnerability is
> fixed. I do not find the code changes related to this in 0.9.8zg that
> are committed for
> 1.0.1n(https://github.com/openssl/openssl/commit/4924b37ee01f71ae19c94a8934b80eeb2f677932)
> for fixing the same. Is the fix different for 0.9.8 and 1.0.1 versions. 
> Please help me.

Like the advisory said, 0.9.8r and below are affected...or putting it
another way 0.9.8s is the first version where this vulnerability is fixed.

The fix is different between the two versions - 0.9.8 doesn't have the
optimised implementation of that function that is present in later
versions. Unfortunately the same bug existed in both the optimised and
unoptimised forms. The un-optimised version got fixed some while ago,
but the optimised version did not. The fix in 0.9.8 is here:

https://github.com/openssl/openssl/commit/22152d6885fac98777ae1d7626a78c20b1ab4295

Matt



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux