Re: [openssl-users] CVE-2016-2177
On 16/08/16 09:50, Sandeep Umesh wrote: > Hi > > Has this been officially published in openSSL ? Haven't seen a security > advisory for the same. > No. This is a low severity issue. As per our security policy we push fixes for these to our repo as soon as we have them. They are then rolled up in the next official release whenever that happens to be: https://www.openssl.org/policies/secpolicy.html For a discussion on this specific issue, see: https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ Matt > Regards > Sandeep > > > Inactive hide details for "Salz, Rich" ---08/13/2016 12:51:19 > AM---Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 --"Salz, > Rich" ---08/13/2016 12:51:19 AM---Commit > 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 -- > > From: "Salz, Rich" <rs...@akamai.com> > To: "openssl-users@openssl.org" <openssl-users@openssl.org> > Date: 08/13/2016 12:51 AM > Subject: Re: [openssl-users] CVE-2016-2177 > Sent by: "openssl-users" <openssl-users-boun...@openssl.org> > > > > > > Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 > > -- > Senior Architect, Akamai Technologies > IM: richs...@jabber.at Twitter: RichSalz > > *From:*Scott Neugroschl [mailto:scot...@xypro.com] * > Sent:*Friday, August 12, 2016 3:11 PM* > To:*openssl-users@openssl.org* > Subject:*[openssl-users] CVE-2016-2177 > > CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. Does > this mean that the fix is not applied to the 1.0.1 series (in particular > 1.0.1t)? > > > --- > Scott Neugroschl | XYPRO Technology Corporation > 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 > 583-2874|Fax 805 583-0124 | > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2177
Hi Has this been officially published in openSSL ? Haven't seen a security advisory for the same. Regards Sandeep From: "Salz, Rich" <rs...@akamai.com> To: "openssl-users@openssl.org" <openssl-users@openssl.org> Date: 08/13/2016 12:51 AM Subject: Re: [openssl-users] CVE-2016-2177 Sent by:"openssl-users" <openssl-users-boun...@openssl.org> Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz From: Scott Neugroschl [mailto:scot...@xypro.com] Sent: Friday, August 12, 2016 3:11 PM To: openssl-users@openssl.org Subject: [openssl-users] CVE-2016-2177 CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. Does this mean that the fix is not applied to the 1.0.1 series (in particular 1.0.1t)? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2177
On 16/08/16 03:37, Jakob Bohm wrote: > Just to clarify for anyone searching the archives in the future: > > Is that commit included in release 1.0.1t or not? No, its not yet in an official release. It will be included in the next 1.0.1 release - whenever that is. Matt > > (I could probably dig it up myself, but I am not an authoritative > source on the matter, so not good enough for future readers). > > On 12/08/2016 21:20, Salz, Rich wrote: >> >> Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 >> >> *From:*Scott Neugroschl [mailto:scot...@xypro.com] >> *Sent:* Friday, August 12, 2016 3:11 PM >> *To:* openssl-users@openssl.org >> *Subject:* [openssl-users] CVE-2016-2177 >> >> CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. >> Does this mean that the fix is not applied to the 1.0.1 series (in >> particular 1.0.1t)? >> > Enjoy > > Jakob -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2177
Just to clarify for anyone searching the archives in the future: Is that commit included in release 1.0.1t or not? (I could probably dig it up myself, but I am not an authoritative source on the matter, so not good enough for future readers). On 12/08/2016 21:20, Salz, Rich wrote: Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 *From:*Scott Neugroschl [mailto:scot...@xypro.com] *Sent:* Friday, August 12, 2016 3:11 PM *To:* openssl-users@openssl.org *Subject:* [openssl-users] CVE-2016-2177 CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. Does this mean that the fix is not applied to the 1.0.1 series (in particular 1.0.1t)? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] CVE-2016-2177
Commit 6f35f6deb5ca7daebe289f86477e061ce3ee5f46 in 1.0.1 -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz From: Scott Neugroschl [mailto:scot...@xypro.com] Sent: Friday, August 12, 2016 3:11 PM To: openssl-users@openssl.org Subject: [openssl-users] CVE-2016-2177 CVE 2016-2177 notes that it applies to all versions up to 1.0.2h. Does this mean that the fix is not applied to the 1.0.1 series (in particular 1.0.1t)? --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 | -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users