[openssl-users] regarding the vulnerability CVE-2015-1788

Matt Caswell matt at openssl.org
Thu Jul 2 12:56:39 UTC 2015



On 02/07/15 13:28, Jaya Nageswar wrote:
> Dear openssl users,
> 
> I have a question regarding the vulnerability CVE-2015-1788.
> 
> At http://openssl.org/news/secadv_20150611.txt, I would like to get the
> clarification on the follwing statement.
> 
> This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
> 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are affected.
> 
> I would like to know in which version of 0.9.8, this vulnerability is
> fixed. I do not find the code changes related to this in 0.9.8zg that
> are committed for
> 1.0.1n(https://github.com/openssl/openssl/commit/4924b37ee01f71ae19c94a8934b80eeb2f677932)
> for fixing the same. Is the fix different for 0.9.8 and 1.0.1 versions. 
> Please help me.

Like the advisory said, 0.9.8r and below are affected...or putting it
another way 0.9.8s is the first version where this vulnerability is fixed.

The fix is different between the two versions - 0.9.8 doesn't have the
optimised implementation of that function that is present in later
versions. Unfortunately the same bug existed in both the optimised and
unoptimised forms. The un-optimised version got fixed some while ago,
but the optimised version did not. The fix in 0.9.8 is here:

https://github.com/openssl/openssl/commit/22152d6885fac98777ae1d7626a78c20b1ab4295

Matt



More information about the openssl-users mailing list