On Thu, Mar 25, 2010, Bodo Moeller wrote: > >>"Record of death" vulnerability in OpenSSL 0.9.8f through 0.9.8m
> No, it's not a mistake -- it's code elsewhere that no longer > tolerates the coarse logic we are changing in the patch, which has > been around forever. Could you please elaborate? I'm asking this because: - we ship OpenSSL 0.9.8k + some security patches, e.g., turn off renegotiation. - I need to find out whether our version is affected (if it is, we need to update our products to include this patch) So far I haven't been able to determine which change caused the problem, so I'm still looking at various diff's, but I'm not familiar with the source code to (easily) spot the problem. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
