On Fri, Nov 19, 2010, Muhammed Shafeek wrote: > In the Advisory it is mentioned that > "Users of all OpenSSL 0.9.8 releases from 0.9.8f through 0.9.8o should > update > to the OpenSSL 0.9.8p release which contains a patch to correct this issue." > > What about users of OpenSSL releases before 0.9.8f ? Isn't the vulnerability > applicable there as well? >
The bug is related to TLS extensions and any OpenSSL versions supporting extensions is vulnerable: however other issues are present if extension support is not present or disabled such as the renegotiation issue which was addressed in OpenSSL 0.9.8m. In fact from 0.9.8f to 0.9.8i extensions were supported but not enabled by default. >From 0.9.8j onwards extension support is enabled by default. Note that the above version numbers refer to standard versions of OpenSSL. Some custom versions (which appear on some linux distros) may have backported extension support to earlier base versions. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
