-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Do I have to apply this to 0.9.8a too?
Matthias "Maddes" Bücher On 11.10.2005 21:53, Richard Levitte - VMS Whacker wrote: > Correct analysis. > > What's happened is that the FIPS functions for SHA224, SHA256, > SHA384 and SHA512 were added. They require a larger > EVP_MAX_MD_SIZE. The functions were wrapped with an #ifdef > OPENSSL_FIPS, while EVP_MAX_MD_SIZE was forgotten in that process. > > The patch to correct the problem is quite easy, though, and you can > find it attached to this letter. > > My recommendation is to apply that patch unconditionally. The > security issue that caused the release of 0.9.7h is serious enough > not to disregard this release and instead go through the hoops of > applying an extra patch. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDTBvDUXXT+9wZdbURAsuxAKCbwRrZWtuM/hST7JJQW7qQKIo+2gCg0WOY awCBYQk+Q9dQwg/haRemcrk= =aqtv -----END PGP SIGNATURE----- -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.344 / Virus Database: 267.11.14/128 - Release Date: 10.10.2005 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]