[openssl-dev] CVE-2016-2177
Philip Bellino
pbellino at mrv.com
Wed Jun 29 19:00:02 UTC 2016
Rich,
We have customers who are asking us to address this vulnerability as well as CVE-2016-2178.
CVE-2016-2177 (s3_srvr.c, ssl_sess.c, t1_lib.c)
CVE-2016-2178 (dsa_ossl.c).
Do you see any reason why we should not go ahead and add these changes to our existing 1.0.2h code?
Thanks,
Phil
-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Salz, Rich
Sent: Tuesday, June 28, 2016 11:23 AM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] CVE-2016-2177
>Will you be releasing 1.0.2i soon to address this issue?
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177
Please see https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/
Short answer: this is a LOW issue, and does not justify a release by itself.
--
Senior Architect, Akamai Technologies
IM: richsalz at jabber.at Twitter: RichSalz
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
[E-Banner]<http://www.mrv.com/products/os-v>
MRV Communications is a global supplier of packet and optical solutions that power the world’s largest networks. Our products combine innovative hardware with intelligent software to make networks smarter, faster and more efficient.
The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited.
More information about the openssl-dev
mailing list