Re: Bleichenbacher Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Wed, 20 Dec 2017 11:51:39 +0530
haris iqbal <haris.phnx@xxxxxxxxx> wrote:

> I was wondering when exactly (the version) was the OpenSSL library
> patched for the Bleichenbacher Vulnerability?

It was probably fixed some time in the late 90s. However according to
https://www.openssl.org/news/changelog.html

the countermeasures were accidentally removed in some 0.9.6 version.

However there also was a 2012/2013 timing version of the attack fixed
here:
https://github.com/openssl/openssl/commit/adb46dbc6dd7347750df2468c93e8c34bcb93a4b

We also observed some old Openssl 0.9.8g crashing when we ran
bleichenbacher scans against it, but we haven't entirely analyzed this.

> Wanted to know this, since my custom application uses an older version
> of OpenSSL, and I wanted to be sure that it is not affected.

Don't do this. Switch to a supported version. There's no way you will
plausibly keep this secure. Bleichenbacher attacks may be the least of
your worries.



-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@xxxxxxxxx
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux