OpenSSL 0.9.8l is released as a workaround against the issue last week. However, as HKS mentioned, it is not a vulnerability of implementations but that of the protocol. All we can do so far is just work around, am I right?
Makoto On Fri, Nov 13, 2009 at 12:55 AM, Robert Segall <[email protected]> wrote: > On Wed, 2009-11-11 at 16:01 -0500, (private) HKS wrote: >> http://www.kb.cert.org/vuls/id/120541 >> >> I assume Pound is vulnerable to this since it seems to be a flaw in >> the actual protocol design, but can anyone confirm? > > Yes, Pound suffers from the same problem (as you correctly note, this is > really a SSL issue). We hope this will be fixed in some upcoming OpenSSL > version. > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-44-920 4904 > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
