RE: OpenSSL Vulnerability CVE-2014-0195
Hi All, We are using openSSL 0.9.8d and want to confirm if we are vulnerable to CVE-2014-0195 and if there is a patch for the same. Thanks in advance, Venkat From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jaya Nageswar Sent: Monday, June 09, 2014 7:13 PM To: openssl-users@openssl.org Subject: OpenSSL Vulnerability CVE-2014-0195 Hi All, We are currently using openssl 0.9.8 h version in one of our components. I would like to get some additional information about the vulnerability “DTLS invalid fragment vulnerability (CVE-2014-0195)”. I could get the information about all other vulnerabilities that are fixed in 0.9.8 za except this vulnerability at https://www.openssl.org/news/vulnerabilities.html At the above link, it was clearly mentioned about the 0.9.8 versions that are being affected for each of the vulnerabilities. However I could not find any information about CVE-2014-0195 here. As per my analysis, the DTLS fragment reassembly fixes have been added in openssl 0.9.8 o as part of “PR 2230:Fix various DTLS fragment reassembly bugs”. These fixes does not exist in openssl 0.9.8 h. The vulnerability fix for “CVE-2014-0195” is part of those fixes that were added in 0.9.8 o version. I would like to know if openssl 0.9.8 h is affected for the vulnerability CVE-2014-0195. Appreciate your quick feedback on this. Thanks in advance. regards, -Jay.
Re: OpenSSL Vulnerability CVE-2014-0195
Hi, Do you use DTLS ? it is secure mode of UDP transfer. If you are not using DTLS then you are not vulnerable regards, James On Mon, Jun 9, 2014 at 6:43 PM, Jaya Nageswar jaya.nages...@gmail.com wrote: Hi All, We are currently using openssl 0.9.8 h version in one of our components. I would like to get some additional information about the vulnerability “DTLS invalid fragment vulnerability (CVE-2014-0195)”. I could get the information about all other vulnerabilities that are fixed in 0.9.8 za except this vulnerability at https://www.openssl.org/news/vulnerabilities.html At the above link, it was clearly mentioned about the 0.9.8 versions that are being affected for each of the vulnerabilities. However I could not find any information about CVE-2014-0195 here. As per my analysis, the DTLS fragment reassembly fixes have been added in openssl 0.9.8 o as part of “PR 2230:Fix various DTLS fragment reassembly bugs”. These fixes does not exist in openssl 0.9.8 h. The vulnerability fix for “CVE-2014-0195” is part of those fixes that were added in 0.9.8 o version. I would like to know if openssl 0.9.8 h is affected for the vulnerability CVE-2014-0195. Appreciate your quick feedback on this. Thanks in advance. regards, -Jay.
Advisory on CVE 2014-0195 not listed on main vulnerabilities page
Dear OpenSSL web page subteam, CVE 2014-0195 is listed in https://www.openssl.org/news/secadv_20140605.txt as fixed by the latest round of security fixes, however it is missing from the primary cross reference at https://www.openssl.org/news/vulnerabilities.html You may wish to update the page to reflect this part of the advisory. This was also mentioned by Mr. Nageswar in an unanswered message 14 days ago. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
OpenSSL 1.0.1h for android ?? Please help.
Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek.
Re: OpenSSL 1.0.1h for android ?? Please help.
Openssl does not directly support Android AFAIR. You can try some manual changes to e.g. CC or write your own make file. On Jun 23, 2014 11:18 AM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? Development env: 1. Ubuntu 14.04 / 12.04 2. Android NDK-r9d Regards Abhishek.
Re: OpenSSL 1.0.1h for android ?? Please help.
On Mon, Jun 23, 2014 at 2:17 PM, Abhishek Gupta abhis...@meddiff.com wrote: Hello Users, I am at task to compile OpenSSL 1.0.1h for android platform and link it with an application. Can somebody give some pointers on how to do it. My problem is that there are no Android.mk files for this. And how can I user ndk-build here? http://wiki.openssl.org/index.php/Android __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Advisory on CVE 2014-0195 not listed on main vulnerabilities page
Hi Jakob, Thanks - I think this has now been corrected, the website should sync within an hour or so. Please let me know if you see anything amiss. Cheers, Geoff On Mon, Jun 23, 2014 at 8:15 AM, Jakob Bohm jb-open...@wisemo.com wrote: Dear OpenSSL web page subteam, CVE 2014-0195 is listed in https://www.openssl.org/news/secadv_20140605.txt as fixed by the latest round of security fixes, however it is missing from the primary cross reference at https://www.openssl.org/news/vulnerabilities.html You may wish to update the page to reflect this part of the advisory. This was also mentioned by Mr. Nageswar in an unanswered message 14 days ago. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Advisory on CVE 2014-0195 not listed on main vulnerabilities page
CVE-2014-0198 is listed in the VULNERABILITIES page as fixed in 1.0.1h and 1.0.0m , but is not listed on the Release Notes for either of these releases. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Geoffrey Thorpe Sent: Monday, June 23, 2014 11:59 AM To: jb-open...@wisemo.com Cc: openssl-users@openssl.org Subject: Re: Advisory on CVE 2014-0195 not listed on main vulnerabilities page Hi Jakob, Thanks - I think this has now been corrected, the website should sync within an hour or so. Please let me know if you see anything amiss. Cheers, Geoff On Mon, Jun 23, 2014 at 8:15 AM, Jakob Bohm jb-open...@wisemo.commailto:jb-open...@wisemo.com wrote: Dear OpenSSL web page subteam, CVE 2014-0195 is listed in https://www.openssl.org/news/secadv_20140605.txt as fixed by the latest round of security fixes, however it is missing from the primary cross reference at https://www.openssl.org/news/vulnerabilities.html You may wish to update the page to reflect this part of the advisory. This was also mentioned by Mr. Nageswar in an unanswered message 14 days ago. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10tel:%2B45%2031%2013%2016%2010 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.orgmailto:openssl-users@openssl.org Automated List Manager majord...@openssl.orgmailto:majord...@openssl.org
Re: OpenSSL 1.0.1h for android ?? Please help.
http://wiki.openssl.org/index.php/Android In addition, the Guardian Project's Orbot is a live working example of of a project currently building OpenSSL on Android. https://gitweb.torproject.org/orbot.git/blob/HEAD:/external/Makefile __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ECDH example for openssl 0.9.8za
Hello users, I recently wrote a program to do ECDH secret derivation, using OpenSSL v1.0.1f. I actually followed the example given at http://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman, and I was able to make it work. But I need to make the program work on a machine with OpenSSL v0.9.8za, and I found that the example wouldn't compile as many of the functions like: EVP_PKEY_CTX_new_id EVP_PKEY_paramgen_init, and many more were introduced only in 1.0.0 and later. So does anyone know how to get the secret derivation working in OpenSSL v0.9.8 ? Because from what I read I think it was supported, so I guess I just don't know what functions to substitute for these. I'm developing on Ubuntu 14.04, but I'll be using an older version of OpenSSL (v0.9.8za) for my particular use case. Any help would be greatly appreciated. Thanks in advance! Pratyush Parimal.
Re: ECDH example for openssl 0.9.8za
On Mon, Jun 23, 2014 at 06:46:29PM -0400, pratyush parimal wrote: So does anyone know how to get the secret derivation working in OpenSSL v0.9.8? The EC support in 0.9.8 is incomplete, and disabled by default. You should treat 0.9.8 as NOT capable of doing EC. Because from what I read I think it was supported, so I guess I just don't know what functions to substitute for these. Your source was wrong. While some EC functionality is present in 0.9.8, it should not be used. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH example for openssl 0.9.8za
Hi, Thanks a lot for the clarification. I understand now. Could you also let ne know the same about normal DH operations (not the ec counterparts)? Are they supported in v0.9.8 then? Regards, Pratyush. On Jun 23, 2014 7:07 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Mon, Jun 23, 2014 at 06:46:29PM -0400, pratyush parimal wrote: So does anyone know how to get the secret derivation working in OpenSSL v0.9.8? The EC support in 0.9.8 is incomplete, and disabled by default. You should treat 0.9.8 as NOT capable of doing EC. Because from what I read I think it was supported, so I guess I just don't know what functions to substitute for these. Your source was wrong. While some EC functionality is present in 0.9.8, it should not be used. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH example for openssl 0.9.8za
On Mon, Jun 23, 2014 at 07:18:06PM -0400, pratyush parimal wrote: Thanks a lot for the clarification. I understand now. Could you also let ne know the same about normal DH operations (not the ec counterparts)? Are they supported in v0.9.8 then? Prime DH is supported in 0.9.8. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH example for openssl 0.9.8za
Thanks .. that helps! -pratyush On Jun 23, 2014 7:44 PM, Viktor Dukhovni openssl-us...@dukhovni.org wrote: On Mon, Jun 23, 2014 at 07:18:06PM -0400, pratyush parimal wrote: Thanks a lot for the clarification. I understand now. Could you also let ne know the same about normal DH operations (not the ec counterparts)? Are they supported in v0.9.8 then? Prime DH is supported in 0.9.8. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org