[openssl-dev] [openssl.org #3734] question about 0.9.7 branch
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Mar 7 17:42:45 UTC 2015
On Sat, Mar 07, 2015 at 06:14:17PM +0100, Allauddin Ahmad via RT wrote:
OpenSSL 0.9.7 has been unsupported for quite some time. Therefore,
as far as I know the OpenSSL team is not checking 0.9.7 to verify
whether it is or is not affected by any recent vulnerability
disclosures. It is almost certainly vulnerable to a number of
unpatched issues older than the ones you list. That said:
> * DTLS segmentation fault in dtls1_get_record (CVE-2014-3571 (CVE-2015-0206
> * DTLS memory leak in dtls1_buffer_record (CVE-2015-0206)
0.9.7 has no DTLS support, so these can't be a problem.
> * no-ssl3 configuration sets method to NULL (CVE-2014-3569)
The Solaris 0.9.7 is not compiled without SSLv3 support.
> * ECDHE silently downgrades to ECDH [Client] (CVE-2014-3572)
0.9.7 has no support elliptic curve cryptography.
--
Viktor.
More information about the openssl-dev
mailing list