On Wed, Jan 08, 2014, yaber...@ca.ibm.com wrote:

> Hi,
> 
> I've recently seen OpenSSL 1.0.1f and 1.0.0l releases which fix some 
> security issues.
> Your vulnerabilities page state it only affect some 1.0.0* and 1.0.1* 
> releases.
> However, when I look at these URLs, I'm under the impression it also 
> affects 0.9.8y.
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449
> 
> 
> Question(s)
> Are these 2 security issues affecting 0.9.8.y ?
> If so, will you release a 0.9.8z version that will fix them?
> If not why? Is it because 0.9.8 is now unsupported? If so, would be great 
> if you could state it on your website
> 
> 

While the bugs are present in 0.9.8y they don't have any security
implications.

In the case of CVE-2013-6449 it's a DoS attack because the handling of SSL
v3.0 and TLS 1.0 differ markedly compared to TLS 1.1 and 1.2. In 0.9.8y only
SSL v3.0 and TLS 1.0 are suported and the differences wont cause a crash.

For CVE-2013-6450 this is a security issue for OpenSSL 1.0 and later because
an attempt is made to use a freed context. For 0.9.8 this is still a bug
because the current (instead of the old) session parameters are used but 
not for a freed context.

And the version after 0.9.8y (if there is one) will be 0.9.8za, see the FAQ.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to