[issue823] openssl buffer overflow.
ejc
eric.j.christeson at gmail.com
Thu Oct 4 13:01:43 PDT 2007
On 10/4/07, Matthew Dillon <dillon at apollo.backplane.com> wrote:
> :Simon 'corecode' Schubert <corecode at fs.ei.tum.de> added the comment:
> :
> :We have 0.9.8e in the tree. As far as I can tell, this should not be
> :affected -- at least from looking at the CVE summaries. They all only
> :talk about <=3D 0.9.8d. Unfortunately openssl.org doesn't really publish
> :security issues (in a prominent place).
> :
> :cheers
> : simon
>
> Ok, I'd appreciate it if someone could check that patch I posted against
> what we have in the tree to determine whether our version is ok or not.
>
> Yah, yah, I could do it myself, but I'm trying to push for wider
> participation here :-)
The patch applies to our codebase. I'm trying to ascertain whether or
not 0.9.8e is affected and it seems it should be -- the function in
question is identical between 0.9.8d and 0.9.8e. The function doesn't
appear to be used very much, so it's probably a low-exposure
vulnerability, but that's not really the point, is it? :-) From the
openssl cvs logs, they've checked the fix in on all the branches, but
haven't cut a new release yet, so 0.9.8e is probably vulnerable.
Eric
More information about the Bugs
mailing list