On Thu, Mar 25, 2010, Paul Suhler wrote: > Am I reading the changes file correctly: if you don't use Kerberos, > then this vulnerability doesn't apply? >
There are two separate issues. CVE-2010-0740 applies to 0.9.8m SSL/TLS and has nothing to do with Kerberos. That is why we made the special release. CVE-2010-0433 applies only if OpenSSL is compiled with kerberos support (it isn't by default). This was fixed before and since it only affected kerberos builds it was felt it didn't warrant a release. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
