Hi openssl-users,
I am researching the known vulnerabilities of open source software that we are considering. According to the NIST NVD web site, the 1.1.1d version of OpenSSL has a few known vulnerabilities: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aopenssl&cpe_product=cpe%3A%2F%3A%3Aopenssl&cpe_version=cpe%3A%2F%3Aopenssl%3Aopenssl%3A1.1.1d
It appears most of the vulnerabilities that are listed by NIST can be dismissed since the security vulnerability was actually in an application that uses OpenSSL instead of being in OpenSSL itself.
But I've been unable to determine with certainty how the last vulnerability on this list (CVE-1999-0428) was fixed. In my research, I've found a potential OpenSSL update in release 0.9.2b that may have addressed the vulnerability: https://seclists.org/bugtraq/1999/Mar/144. But this security alert message doesn't reference any CVE number.
The OpenSSL Vulnerabilities web page (https://www.openssl.org/news/vulnerabilities.html) doesn't go back to 1999, so it doesn't provide any information regarding this vulnerability.
Can anyone point me to OpenSSL documentation that indicates CVE-1999-0428 was fixed? Thanks.
