Rich, We have customers who are asking us to address this vulnerability as well as CVE-2016-2178. CVE-2016-2177 (s3_srvr.c, ssl_sess.c, t1_lib.c) CVE-2016-2178 (dsa_ossl.c).
Do you see any reason why we should not go ahead and add these changes to our existing 1.0.2h code? Thanks, Phil -----Original Message----- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Salz, Rich Sent: Tuesday, June 28, 2016 11:23 AM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] CVE-2016-2177 >Will you be releasing 1.0.2i soon to address this issue? > https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2177 Please see https://www.openssl.org/blog/blog/2016/06/27/undefined-pointer-arithmetic/ Short answer: this is a LOW issue, and does not justify a release by itself. -- Senior Architect, Akamai Technologies IM: richs...@jabber.at Twitter: RichSalz -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev [E-Banner]<http://www.mrv.com/products/os-v> MRV Communications is a global supplier of packet and optical solutions that power the world’s largest networks. Our products combine innovative hardware with intelligent software to make networks smarter, faster and more efficient. The contents of this message, together with any attachments, are intended only for the use of the person(s) to whom they are addressed and may contain confidential and/or privileged information. If you are not the intended recipient, immediately advise the sender, delete this message and any attachments and note that any distribution, or copying of this message, or any attachment, is prohibited. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
