On 6 June 2014 08:27, Zhong Chen <[email protected]> wrote: > Hello, > > > > In the “OpenSSL Security Advisory [05 Jun 2014]”, regarding “SSL/TLS MITM > vulnerability (CVE-2014-0224)”, it says: > > > > Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. > Usersof OpenSSL servers earlier than 1.0.1 are advised to upgrade as a > precaution. > > > > We are using openssl 1.0.0 as a server. Looking at the diff between 1.0.0m > and 1.0.0k, same patch is applied to s3_srvr.c and s3_pkt.c. I want to > confirm this is just for precaution, or openssl 1.0.0 is vulnerable too. >
As it says in the quote you have provided, only 1.0.1 servers are known to be vulnerable. The same patch is applied to other server versions as a precaution and we still advise you to upgrade. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
