[openssl-users] CVE-2016-2177
Matt Caswell
matt at openssl.org
Tue Aug 16 08:53:38 UTC 2016
On 16/08/16 09:50, Sandeep Umesh wrote:
> Hi
>
> Has this been officially published in openSSL ? Haven't seen a security
> advisory for the same.
>
No. This is a low severity issue. As per our security policy we push
fixes for these to our repo as soon as we have them. They are then
rolled up in the next official release whenever that happens to be:
https://www.openssl.org/policies/secpolicy.html
For a discussion on this specific issue, see:
https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/
Matt
> Regards
> Sandeep
>
>
> Inactive hide details for "Salz, Rich" ---08/13/2016 12:51:19
> AM---Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 --"Salz,
> Rich" ---08/13/2016 12:51:19 AM---Commit
> 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 --
>
> From: "Salz, Rich" <rsalz at akamai.com>
> To: "openssl-users at openssl.org" <openssl-users at openssl.org>
> Date: 08/13/2016 12:51 AM
> Subject: Re: [openssl-users] CVE-2016-2177
> Sent by: "openssl-users" <openssl-users-bounces at openssl.org>
>
> ------------------------------------------------------------------------
>
>
>
> Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1
>
> --
> Senior Architect, Akamai Technologies
> IM: richsalz at jabber.at Twitter: RichSalz
>
> *From:*Scott Neugroschl [mailto:scott_n at xypro.com] *
> Sent:*Friday, August 12, 2016 3:11 PM*
> To:*openssl-users at openssl.org*
> Subject:*[openssl-users] CVE-2016-2177
>
> CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. Does
> this mean that the fix is not applied to the 1.0.1 series (in particular
> 1.0.1t)?
>
>
> ---
> Scott Neugroschl | XYPRO Technology Corporation
> 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805
> 583-2874|Fax 805 583-0124 |
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>
More information about the openssl-users
mailing list