All, Is OpenSSL version 0.9.7m vulnerable to this security notice http://www.openssl.org/news/secadv_20071012.txt?
Reading through the notice it sounds like they recommend upgrading to 0.9.8g but that only those versions PRIOR to 0.9.7m are affected. We must build a fips compliant OpenSSL and I'm just trying to find out if we are still ok with the version that we are currently building (0.9.7m). Thank you, Jerry -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Marquess Sent: Tuesday, February 26, 2008 01:48 PM To: openssl-users@openssl.org Subject: Re: 0.9.8 version that is fips compliant? Blasdel, Jerry wrote: > All, > > Is there a 0.9.8 version of OpenSSL that is fips compliant? Steve > thought there would be one available possibly around February/March > timeframe of this year. Alas, that schedule has slipped. We lost a month plus due to the unexpected ordeal of getting the vulnerability patch to the v1.1.1 validated product approved. In addition the number of test platforms (eight) for the ongoing v1.2 validation has consumed much more time than I'd estimated due to difficulties with procuring necessary hardware and software. Unfortunately the formal submission for government review doesn't happen until *all* testing is completed on *all* platforms. We're almost done with the last platform, 64 bit Windows. That caused an inordinate amount of delay and in hindsight I would have dropped it from the validation. Then the real wait begins. I'm hesitant to even guess at a final completion date. The backlog for CMVP review is apparently running at six months or more, that would take us out until August at the earliest. Still fast compared to the first validation which took over five years. I had hoped to get the cycle down to under a year, but FIPS 140-2 validations will never be fast compared to software product life cycles. -Steve M. -- Steve Marquess Open Source Software Institute [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
