On Mon, Jan 06, 2014, Kurt Roeckx wrote: > So the 1.0.1f released fixed 3 CVEs. The links on > http://www.openssl.org/news/vulnerabilities.html > suggest that the following commits are needed: > CVE-2013-4353: > 197e0ea817ad64820789d86711d55ff50d71f631 > > CVE-2013-6450: > 34628967f1e65dc8f34e000f0f5518e21afbfc7b > > CVE-2013-6449: > ca989269a2876bae79393bd54c3e72d49975fc75 > > As can been seen in RT #3214, applying only > 34628967f1e65dc8f34e000f0f5518e21afbfc7b for CVE-2013-6450 will > result in different crashes and you also need > a6c62f0c25a756c263a80ce52afbae888028e986 > > For CVE-2013-6449 people have also been saying that > you need 0294b2be5f4c11e60620c0018674ff0e17b14238. At least both > commits originate from the same bug report. > > Could you please clarify things? >
You don't need 0294b2be5f4c11e60620c0018674ff0e17b14238 it was an interim fix to prevent the crash when we weren't sure of the precise cause. However it's a good idea to include it anyway because it handles failed calls cleanly without crashing: though there is currently no known way of triggering them that isn't fixed by ca989269a2876bae79393bd54c3e72d49975fc75 Although there is no CVE connected to it it is also advisable to include f3dcc8411e518fb0835c7d72df4a58718205260d as well. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
