Hi All,
We are using OpenSSL version 0.9.8h. We take the security vulnerability
fixes from latest release of OpenSSL 0.9.8 series and patch our internally
used 0.9.8h.
From the OpenSSL release 0.9.8za, we took CVE-2014-0224 and merged it our
OpenSSL code. But in latest release 0.9.8za, I see
Does the recent vulnerability exposed in openSSL - CVE-2014-0224 and
CVE-2014-0221 affect openssl-fips-2.0.5 ?
If Yes, How do I get fips compliant openSSL?
-Karthik R
On Thu, Jun 12, 2014, Karthik R wrote:
Does the recent vulnerability exposed in openSSL - CVE-2014-0224 and
CVE-2014-0221 affect openssl-fips-2.0.5 ?
If Yes, How do I get fips compliant openSSL?
If you mean the FIPS module then no. The FIPS module does not contain any
TLS or DTLS code
Hi guys,
I know 0.9.7 is no longer under development, but for various reasons, I have an
app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
Thanks,
ScottN
__
OpenSSL Project
On Wed, Jun 11, 2014, Scott Neugroschl wrote:
Hi guys,
I know 0.9.7 is no longer under development, but for various reasons, I have
an app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
I think you mean CVE-2014-0224. Yes it is vulnerable
On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:
I know 0.9.7 is no longer under development, but for various
reasons, I have an app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
There are I expect many unresolved issues (even if not
From Victor:
On Wed, Jun 11, 2014 at 04:09:47PM +, Scott Neugroschl wrote:
I know 0.9.7 is no longer under development, but for various reasons,
I have an app that is still using 0.9.7g.
Is 0.9.7g subject to the vulnerability from CVD-0214-0224?
There are I expect many unresolved issues
On Wed, Jun 11, 2014 at 07:07:09PM +, Scott Neugroschl wrote:
We are aware of this, and are looking to upgrade. Does anyone
have a recommendation as to 0.9.8 vs 1.0.0 (1.0.1 is too bleeding
edge)? If you have a recommendation, may I ask what led you to
choose that path?
I would
CVE-2014-0224 looks like an interesting issue
(https://www.openssl.org/news/secadv_20140605.txt):
An attacker using a carefully crafted handshake
can force the use of weak keying material in
OpenSSL SSL/TLS clients and servers. This can
be exploited by a Man-in-the-middle (MITM
Can anyone explain the vulnerability?
A handful of links
Here's the timeline, a public document:
https://plus.google.com/u/0/+MarkJCox/posts/L8i6PSsKJKs
And this blog entry from the guy who found the bug. BTW, it's 16 years old.
I am also quite curious.
Also, how long has this exploit been around, and could hackers have
exploited this already?
2014-06-05 22:46 GMT+02:00 Jeffrey Walton noloa...@gmail.com:
CVE-2014-0224 looks like an interesting issue
(https://www.openssl.org/news/secadv_20140605.txt
On Thu, Jun 5, 2014 at 4:49 PM, Salz, Rich rs...@akamai.com wrote:
Can anyone explain the vulnerability?
A handful of links
Here's the timeline, a public document:
https://plus.google.com/u/0/+MarkJCox/posts/L8i6PSsKJKs
And this blog entry from the guy who found the bug. BTW, it's
I've also added these into the wiki at
http://wiki.openssl.org/index.php/SECADV_20140605 - so that others
looking back through the issues can find a handy reference to the
additional information from various locations - the link at
http://wiki.openssl.org/index.php/Security_Advisories basically
13 matches
Mail list logo