Hi, I've just been informed that there has been a CVE published about openssl. You can see some of it at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3108 http://www.securityfocus.com/bid/25163/solution http://openssl.org/news/patch-CVE-2007-3108.txt
But I haven't seen an announcement about it yet. Anyway, looking at this, there seems to be confusion about what is needed to fix this. I'll write here what I think is the situation. Someone please correct me if I'm wrong. For HEAD the fixes are: http://cvs.openssl.org/chngview?cn=16275 http://cvs.openssl.org/chngview?cn=16282 http://cvs.openssl.org/chngview?cn=16306 For 0.9.8e the fixes are: http://cvs.openssl.org/chngview?cn=16277 http://cvs.openssl.org/chngview?cn=16308 Which is also in: http://openssl.org/news/patch-CVE-2007-3108.txt (The assembler versions don't exists in 0.9.8e) Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
