Am I reading the changes file correctly: if you don't use Kerberos, then this vulnerability doesn't apply?
Thanks, Paul ___________________________________ Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office: 949.856.7748 | paul.suh...@quantum.com ___________________________________ Disregard the Quantum Corporation confidentiality notice below. The information contained in this transmission is not confidential. Permission is hereby explicitly granted to disclose, copy, and further distribute to any individuals or organizations, without restriction. -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Bodo Moeller Sent: Thursday, March 25, 2010 11:40 AM To: openssl-dev@openssl.org Subject: Re: OpenSSL Security Advisory On Mar 25, 2010, at 6:33 PM, Jean-Marc Desperrier wrote: > OpenSSL wrote: >> "Record of death" vulnerability in OpenSSL 0.9.8f through 0.9.8m > > How comes the vulnerability doesn't touch 0.9.8e though the patched > file wasn't modified between 0.9.8e and 0.9.8f ? > > But that code was modified between 0.9.8d and 0.9.8e, see this patch : > http://cvs.openssl.org/filediff?f=openssl/ssl/s3_pkt.c&v1=1.60&v2=1.61 > > Could it be a reference mistake and that this vulnerability is from > 0.9.8e through 0.9.8m ? No, it's not a mistake -- it's code elsewhere that no longer tolerates the coarse logic we are changing in the patch, which has been around forever. Bodo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
