It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based distributions as
well, correct?
It doesn't appear that the fix has been applied to the OpenSSL_0_9_8-stable
branch yet though. I suppose it might need a few tweaks to apply there
cleanly...
Thanks
On Wed, 26 Mar 2014 06:55:41 + geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Yes, 0.9.8y also uses the same Lopez/Dahab algo when computing
elliptic scalar mult on curves defined over binary fields
(i.e. GF(2^m
On Tue, Mar 25, 2014, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based distributions as
well, correct?
Yes that's correct but we weren't planning on making any more 0.9.8 releases.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer
On Tue, Mar 25, 2014 at 09:23:58PM +, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Isn't this an ECDSA issue? I thought that EC algorithms are by
default disabled in OpenSSL 0.9.8 (require explicit ECCdraft
On Wed, Mar 26, 2014, Viktor Dukhovni wrote:
On Tue, Mar 25, 2014 at 09:23:58PM +, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Isn't this an ECDSA issue? I thought that EC algorithms are by
default
Dr. Stephen Henson steve at openssl.org writes:
On Wed, Mar 26, 2014, Viktor Dukhovni wrote:
Perhaps given the number of post-0.9.8y commits pending on the
OpenSSL_0_9_8-stable branch, one final z release could be issued,
no more commits made after that, and plans to not make any further