[openssl-users] Need more information on CVE-2016-2842

Matt Caswell matt at openssl.org
Mon Apr 11 19:14:10 UTC 2016

On 11/04/16 19:12, Sandeep Umesh wrote:
> Hello
> Can someone please provide more information on CVE-2016-2842? Is this
> different from CVE-2016-0799 ? Looks like this CVE information is not
> captured in the advisory -
> _http://openssl.org/news/secadv/20160301.txt_
> Also, does this below patch fixes both CVE-2016-2842 and CVE-2016-0799 -
> _https://git.openssl.org/?p=openssl.git;a=commit;h=578b956fe741bf8e84055547b1e83c28dd902c73_

CVE-2016-2842 is an identifier that was not issued by the OpenSSL
Project and hence does not appear in the security advisory. The OpenSSL
Project assigned CVE-2016-0799 and gave it the description as it appears
in the advisory. Another organisation decided to split that into two
different CVEs and assigned CVE-2016-2842. Whether you think of it as
one CVE or two, the fix is the same, i.e. the commit that you identified
fixes both.


More information about the openssl-users mailing list