<div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Hi openssl-users,</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><br>I am researching the known vulnerabilities of open source software that we are considering.  According to the NIST NVD web site, the 1.1.1d version of OpenSSL has a few known vulnerabilities: <a href="https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aopenssl&cpe_product=cpe%3A%2F%3A%3Aopenssl&cpe_version=cpe%3A%2F%3Aopenssl%3Aopenssl%3A1.1.1d">https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aopenssl&cpe_product=cpe%3A%2F%3A%3Aopenssl&cpe_version=cpe%3A%2F%3Aopenssl%3Aopenssl%3A1.1.1d</a></p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><br>It appears most of the vulnerabilities that are listed by NIST can be dismissed since the security vulnerability was actually in an application that uses OpenSSL instead of being in OpenSSL itself.</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><br>But I've been unable to determine with certainty how the last vulnerability on this list (CVE-1999-0428) was fixed.  In my research, I've found a potential OpenSSL update in release 0.9.2b that may have addressed the vulnerability: <a href="https://seclists.org/bugtraq/1999/Mar/144">https://seclists.org/bugtraq/1999/Mar/144</a>.  But this security alert message doesn't reference any CVE number.</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><br>The OpenSSL Vulnerabilities web page (<a href="https://www.openssl.org/news/vulnerabilities.html">https://www.openssl.org/news/vulnerabilities.html</a>) doesn't go back to 1999, so it doesn't provide any information regarding this vulnerability.</p><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"><br>Can anyone point me to OpenSSL documentation that indicates CVE-1999-0428 was fixed?  Thanks.<br></p></div>