thanks Matt for the information provided. On Thu, Jul 2, 2015 at 6:26 PM, Matt Caswell <matt at openssl.org> wrote: > > > On 02/07/15 13:28, Jaya Nageswar wrote: > > Dear openssl users, > > > > I have a question regarding the vulnerability CVE-2015-1788. > > > > At http://openssl.org/news/secadv_20150611.txt, I would like to get the > > clarification on the follwing statement. > > > > This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and > > 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are > affected. > > > > I would like to know in which version of 0.9.8, this vulnerability is > > fixed. I do not find the code changes related to this in 0.9.8zg that > > are committed for > > 1.0.1n( > https://github.com/openssl/openssl/commit/4924b37ee01f71ae19c94a8934b80eeb2f677932 > ) > > for fixing the same. Is the fix different for 0.9.8 and 1.0.1 versions. > > Please help me. > > Like the advisory said, 0.9.8r and below are affected...or putting it > another way 0.9.8s is the first version where this vulnerability is fixed. > > The fix is different between the two versions - 0.9.8 doesn't have the > optimised implementation of that function that is present in later > versions. Unfortunately the same bug existed in both the optimised and > unoptimised forms. The un-optimised version got fixed some while ago, > but the optimised version did not. The fix in 0.9.8 is here: > > > https://github.com/openssl/openssl/commit/22152d6885fac98777ae1d7626a78c20b1ab4295 > > Matt > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150702/a4d64122/attachment.html>
