On Mar 25, 2010, at 6:33 PM, Jean-Marc Desperrier wrote:
OpenSSL wrote:
"Record of death" vulnerability in OpenSSL 0.9.8f through 0.9.8m
How comes the vulnerability doesn't touch 0.9.8e though the patched
file wasn't modified between 0.9.8e and 0.9.8f ?
But that code was modified between 0.9.8d and 0.9.8e, see this patch :
http://cvs.openssl.org/filediff?f=openssl/ssl/s3_pkt.c&v1=1.60&v2=1.61
Could it be a reference mistake and that this vulnerability is from
0.9.8e through 0.9.8m ?
No, it's not a mistake -- it's code elsewhere that no longer tolerates
the coarse logic we are changing in the patch, which has been around
forever.
Bodo
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org