Re: ssl issues in 4.x?

To: d.den.brok%uni-bonn.de@localhost
Subject: Re: ssl issues in 4.x?
From: Matthias Drochner <M.Drochner%fz-juelich.de@localhost>
Date: Thu, 09 Apr 2009 12:56:04 +0200

> I haven't seen any pullups or requests

I forgot about 4.x. Just checked: CMS was added later,
so CVE-2009-0591 does not apply.
The ASN1 printing crash (CVE-2009-0590) seems to apply.
The Invalid ASN1 clearing check (CVE-2009-0789) might
apply, but since this is only an issue with the windows
ABI we don't need to take the risk.
Could you (or someone else) pull the patches into
a 4.x tree and check whether everything still builds
(and works)? That would be:

cvs rdiff -u -r1.9 -r1.10 src/crypto/dist/openssl/crypto/asn1/asn1.h
cvs rdiff -u -r1.1.1.8 -r1.2 src/crypto/dist/openssl/crypto/asn1/asn1_err.c
cvs rdiff -u -r1.8 -r1.9 src/crypto/dist/openssl/crypto/asn1/tasn_dec.c

In the tasn_dec.c patch, the first two hunks (removal of a NULL
assignment) belong to CVE-2009-0789. As said, I'd leave them out
for now.

thanks
Matthias




-------------------------------------------------------------------
-------------------------------------------------------------------
Forschungszentrum Juelich GmbH
52425 Juelich

Sitz der Gesellschaft: Juelich
Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498
Vorsitzende des Aufsichtsrats: MinDir'in Baerbel Brumme-Bothe
Geschaeftsfuehrung: Prof. Dr. Achim Bachem (Vorsitzender),
Dr. Ulrich Krafft (stellv. Vorsitzender), Prof. Dr. Harald Bolt,
Dr. Sebastian M. Schmidt
-------------------------------------------------------------------
-------------------------------------------------------------------

Follow-Ups:
- Re: ssl issues in 4.x?
  - From: Dennis den Brok

Prev by Date: ssl issues in 4.x?
Next by Date: Re: ssl issues in 4.x?
Previous by Thread: ssl issues in 4.x?
Next by Thread: Re: ssl issues in 4.x?
Indexes:

Home | Main Index | Thread Index | Old Index