CVE-2014-5139 patch

Hello users, NVD vulnerability database confirms the below link as the patch for CVE-2014-5139 - https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0 This is indicating to CVE-2014-2970. Where as, the commit for CVE-2014-5139 seems to be -

[openssl-users] openssl impact on CVE-2015-2808

Hello Users, Just want to understand the impact of openssl for RC4 Bar mitzvah attack. Please correct me if my understanding is wrong, basically this attack is triggered based on the design of RC4. openssl is one of the implementers of RC4 algo. I am not sure if there will be any design change

[openssl-users] Logjam impact on 0.9.8y version

Hello, I see a fix for logjam has been provided from 1.0.1 and 1.0.2 versions of openssl. https://www.openssl.org/blog/blog/2015/05/20/logjam-freak-upcoming-changes/ Does that imply 0.9.8 is not impacted by logjam? Also, Is it not required to disable export cipher suites in 0.9.8 version?

[openssl-users] openSSL and SLOTH attack

Hello users, Is there any fixes available from openSSL community for the SLOTH attack - http://www.mitls.org/pages/attacks/SLOTH or what are the possible mitigation points? Thanks Sandeep ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] Need more information on CVE-2016-2842

boun...@openssl.org> On 11/04/16 19:12, Sandeep Umesh wrote: > Hello > > Can someone please provide more information on CVE-2016-2842? Is this > different from CVE-2016-0799 ? Looks like this CVE information is not > captured in the advisory - > _http://openssl.org/n

[openssl-users] Need more information on CVE-2016-2842

Hello Can someone please provide more information on CVE-2016-2842? Is this different from CVE-2016-0799 ? Looks like this CVE information is not captured in the advisory - http://openssl.org/news/secadv/20160301.txt Also, does this below patch fixes both CVE-2016-2842 and CVE-2016-0799 -

[openssl-users] test for DROWN CVE

Hello How can anyone test if the server is susceptible to DROWN CVE? Possibly one of the methods is to check at https://drownattack.com/#check Apart from this, will be below command also be useful to verify for the impact? - $ openssl s_client -connect : -ssl2 Regards Sandeep --

Re: [openssl-users] CVE-2016-2177

Hi Has this been officially published in openSSL ? Haven't seen a security advisory for the same. Regards Sandeep From: "Salz, Rich" To: "openssl-users@openssl.org" Date: 08/13/2016 12:51 AM Subject:Re: [openssl-users]

[openssl-users] Does CVE-2016-7055 only impact x86_64 platform ?

Hi Can you please clarify if CVE-2016-7055 only impact x86_64 platform ? What about other platforms listed in crypto/bn/asm/ folder which has Montgomery multiplication procedure, is it impacted ? Thanks Regards Sandeep -- openssl-users mailing list To unsubscribe:

Re: [openssl-users] Using TLS1.3 with OpenSSL

Hello Matt Are you planning to provide TLSv1.3 support for openSSL 1.0.2 version ? Thanks Sandeep From: Matt Caswell To: "openssl-users@openssl.org" , "openssl-...@openssl.org" Date: 05/04/2017 06:52

[openssl-users] FIPS certification for openssl

Hello As per this blog: https://www.openssl.org/blog/blog/2017/10/27/steve-marquess/ Steve who is instrumental in handling FIPS certification for openssl object module is no more associated with OSF. How can we proceed for future FIPS certification ? Is there any other contact person to perform

openssl 3.0 beta versus actual

Hello   While the beta version has been released now, please let us know if there is any timeline to release the actual 3.0 version ?   What changes are expected to be 3.0 version compared to its beta ? it is restricted to bug-fixes only ?   Thanks   Regards Sandeep