On Thu, Jun 05, 2014 at 05:13:33PM +0100, Adam D. Barratt wrote: > On 2014-06-05 15:46, Florian Zumbiehl wrote: > >Hi, > > > >>Package : openssl > >>CVE ID : CVE-2014-0195 CVE-2014-0221 CVE-2014-0224 CVE-2014-3470 > > > >is it intentional that you didn't fix CVE-2014-0198 > > That was fixed last month - https://www.debian.org/security/2014/dsa-2931
So that's fixed since 1.0.1e-2+deb7u9 > >and CVE-2010-5298? > > https://security-tracker.debian.org/tracker/CVE-2010-5298 indicates that > this is only an issue if OPENSSL_NO_BUF_FREELIST is enabled, which it's not > in the Debian package. Is that not correct? This was fixed in DSA-2908-1 (1.0.1e-2+deb7u7) I think that comment is wrong. It depends on the use of the SSL_MODE_RELEASE_BUFFERS options by applications. As far as I know OPENSSL_NO_BUF_FREELIST will have an effect on how likely it is that you run into a problem with it, but the problem is always there. Kurt -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140605172941.ga29...@roeckx.be