On 07/08/14 20:42, Jaya Nageswar wrote: > Hi All, > > The following vulnerability fixes in 0.9.8 zb seems to be related to the > DTLS reassemble fragment functionality that is introduced from 0.9.8 o > version. > > CVE-2014-3505 -Avoid double free when processing DTLS packets > CVE-2014-3506 -Fix DTLS handshake message size checks > CVE-2014-3507 -Fix memory leak from zero-length DTLS fragments > > As per the https://www.openssl.org/news/vulnerabilities.html, all the > versions of openssl 0.9.8. This includes the versions before 0.9.8 o > where the DTLS reassemble fragment is not present. > > Can some one confirm if it is updated by mistake or is all the versions > of 0.9.8 are affected with the above vulnerabilities too.. > > appreciate your quick response on this. > > regards, > -Jaya.
Hi Jaya CVE-2014-3505 has two sites which are affected by the same problem (either of these can be present for the issue to occur). One of these is dtls1_reassemble_fragment, which you rightly say was not introduced until 0.9.8o. However the other site is in dtls1_process_out_of_seq_message. This issue was introduced in 0.9.8m. Therefore 0.9.8 - 0.9.8l are not affected. CVE-2014-3506 primarily addresses issues in dtls1_reassemble_fragment. However it does also address a problem in the non-fragmented case where there was no check for the maximum handshake message size, and this problem also exists in 0.9.8. Therefore 0.9.8 is still affected. CVE-2014-3507 deals with an issue where zero length fragments result in a memory leak due to a flaw in the logic regarding reassembling fragments. Since this logic does not exist in 0.9.8 - 0.9.8n, you are correct that they are not affected. I will correct the Security Advisory and the vulnerabilities page with regards to CVE-2014-3505 and CVE-2014-3507. Thank you for bringing this to our attention. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
