tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Security Advisory 2009-009: OpenSSL DTLS Memory Exhaustion and DSA signature verification vulnerabilities



Salut,

On Fri, Jul 17, 2009 at 04:39:13PM -0400, Taylor R Campbell wrote:
> The problem was that Updating src/lib/libcrypto brought in Joerg
> Sonnenberger's change to make libcrypto use libc's new SHA-224
> implementation -- but since I had not also installed a new libc,
> loading any object linked against libcrypto would fail.

I guess so, but I don't think we can guarantee that the instructions
of an advisory won't "go bad" due to a separate advisory (which will
be issued soon, by the way).

I think the binary updates I was working on would solve this problem,
but due to too many demands on various sides ("You must send full file
replacements", "You must use PGP, not SSL") I had to put this project
in the fridge until I have time to take care of them all.

                                Tonnerre

Attachment: pgpEFKdU4H74b.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index