On Wed, Jan 08, 2014, yaber...@ca.ibm.com wrote: > Hi, > > I've recently seen OpenSSL 1.0.1f and 1.0.0l releases which fix some > security issues. > Your vulnerabilities page state it only affect some 1.0.0* and 1.0.1* > releases. > However, when I look at these URLs, I'm under the impression it also > affects 0.9.8y. > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6450 > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6449 > > > Question(s) > Are these 2 security issues affecting 0.9.8.y ? > If so, will you release a 0.9.8z version that will fix them? > If not why? Is it because 0.9.8 is now unsupported? If so, would be great > if you could state it on your website > >
While the bugs are present in 0.9.8y they don't have any security implications. In the case of CVE-2013-6449 it's a DoS attack because the handling of SSL v3.0 and TLS 1.0 differ markedly compared to TLS 1.1 and 1.2. In 0.9.8y only SSL v3.0 and TLS 1.0 are suported and the differences wont cause a crash. For CVE-2013-6450 this is a security issue for OpenSSL 1.0 and later because an attempt is made to use a freed context. For 0.9.8 this is still a bug because the current (instead of the old) session parameters are used but not for a freed context. And the version after 0.9.8y (if there is one) will be 0.9.8za, see the FAQ. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org