[openssl-users] regarding the vulnerability CVE-2015-1788
jaya.nageswar at gmail.com
Thu Jul 2 15:30:50 UTC 2015
thanks Matt for the information provided.
On Thu, Jul 2, 2015 at 6:26 PM, Matt Caswell <matt at openssl.org> wrote:
> On 02/07/15 13:28, Jaya Nageswar wrote:
> > Dear openssl users,
> > I have a question regarding the vulnerability CVE-2015-1788.
> > At http://openssl.org/news/secadv_20150611.txt, I would like to get the
> > clarification on the follwing statement.
> > This issue affects OpenSSL versions: 1.0.2 and 1.0.1. Recent 1.0.0 and
> > 0.9.8 versions are not affected. 1.0.0d and 0.9.8r and below are
> > I would like to know in which version of 0.9.8, this vulnerability is
> > fixed. I do not find the code changes related to this in 0.9.8zg that
> > are committed for
> > 1.0.1n(
> > for fixing the same. Is the fix different for 0.9.8 and 1.0.1 versions.
> > Please help me.
> Like the advisory said, 0.9.8r and below are affected...or putting it
> another way 0.9.8s is the first version where this vulnerability is fixed.
> The fix is different between the two versions - 0.9.8 doesn't have the
> optimised implementation of that function that is present in later
> versions. Unfortunately the same bug existed in both the optimised and
> unoptimised forms. The un-optimised version got fixed some while ago,
> but the optimised version did not. The fix in 0.9.8 is here:
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users