DragonFlyBSD

We have 0.9.8e in the tree. As far as I can tell, this should not be
affected -- at least from looking at the CVE summaries. They all only
talk about <= 0.9.8d. Unfortunately openssl.org doesn't really publish
security issues (in a prominent place).

cheers
simon

:Simon 'corecode' Schubert <corecode@fs.ei.tum.de> added the comment:
:
:We have 0.9.8e in the tree. As far as I can tell, this should not be
:affected -- at least from looking at the CVE summaries. They all only
:talk about <=3D 0.9.8d. Unfortunately openssl.org doesn't really publish
:security issues (in a prominent place).
:
:cheers
: simon

Ok, I'd appreciate it if someone could check that patch I posted against
    what we have in the tree to determine whether our version is ok or not.

Yah, yah, I could do it myself, but I'm trying to push for wider
    participation here :-)

-Matt

The patch applies to our codebase. I'm trying to ascertain whether or
not 0.9.8e is affected and it seems it should be -- the function in
question is identical between 0.9.8d and 0.9.8e. The function doesn't
appear to be used very much, so it's probably a low-exposure
vulnerability, but that's not really the point, is it? :-) From the
openssl cvs logs, they've checked the fix in on all the branches, but
haven't cut a new release yet, so 0.9.8e is probably vulnerable.

Eric

So why does CVE have misleading information then? Are openssl expecting
everybody to apply a patch instead of them just cutting a new release?

cheers
simon

I see. CVE has a wrong summary. We are vulnerable, openssl didn't cut
a new release yet. See [1] (i.e. 0.9.8e is vulnerable).

I'd actually wait for a couple of days before adding the patch to -HEAD.
Patch can go directly to the release branches.

cheers
simon

[1] http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded