On 02/07/15 13:28, Jaya Nageswar wrote: > Dear openssl users, > > I have a question regarding the vulnerability CVE-2015-1788. > > At http://openssl.org/news/secadv_20150611.txt, I would like to get the > clarification on the follwing statement. > > This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and > 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are affected. > > I would like to know in which version of 0.9.8, this vulnerability is > fixed. I do not find the code changes related to this in 0.9.8zg that > are committed for > 1.0.1n(https://github.com/openssl/openssl/commit/4924b37ee01f71ae19c94a8934b80eeb2f677932) > for fixing the same. Is the fix different for 0.9.8 and 1.0.1 versions. > Please help me. Like the advisory said, 0.9.8r and below are affected...or putting it another way 0.9.8s is the first version where this vulnerability is fixed. The fix is different between the two versions - 0.9.8 doesn't have the optimised implementation of that function that is present in later versions. Unfortunately the same bug existed in both the optimised and unoptimised forms. The un-optimised version got fixed some while ago, but the optimised version did not. The fix in 0.9.8 is here: https://github.com/openssl/openssl/commit/22152d6885fac98777ae1d7626a78c20b1ab4295 Matt
