Hi Folks,
I'm trying to determine whether CVE-2014-0076 applies to the patched
OpenSSL 0.9.7d that is part of Solaris 10. I looked at the fixes that
were applied to 1.0.1, 1.0.0, and 0.9.8 which include changes to the
ec_GF2m_montgomery_point_multiply() function, which doesn't exist in
S10's enhanced 0.9.7. Based on the actual fix and the fact that none of
the still existing EC routines from 0.9.7 were modified, it appears that
the vulnerability does not apply to 0.9.7.
But the "Vulnerable software and versions" section of the NIST
Vulnerability Summary seems to imply that the vulnerability applies to
0.9.7 as well:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076
Can anyone please comment on whether CVE-2014-0076 is in fact relevant
to 0.9.7? Thank you!
--
ron jordan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
