Re: CVE-2014-5139 patch
On 25/08/14 09:57, sandeep umesh wrote: > Hello users, > > NVD vulnerability database confirms the below link as the patch for > CVE-2014-5139 - > > https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0 > > This is indicating to CVE-2014-2970. > > Where as, the commit for CVE-2014-5139 seems to be - > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=83764a989dcc87fbea337da5f8f86806fe767b7e > > Can someone please confirm the patch for this CVE? Thanks CVE-2014-5139 had an id change during its development. It was originally known as CVE-2014-2970, but before it was released this was changed to CVE-2014-5139. All references to CVE-2014-2970 should have been changed to CVE-2014-5139 but apparently this one got missed. Essentially CVE-2014-2970 and CVE-2014-5139 should be considered synonymous within OpenSSL. The two commits that you have identified are on different branches (thanks to Kurt for pointing this out to me). The first commit is on the master branch, and is the fix for dev versions of OpenSSL. It has also been backported to the 1.0.2 beta branch in git. However it does not, as yet, appear in any released version of OpenSSL. The second commit is the version for the 1.0.1 branch in git. This is the patch that has been applied in 1.0.1i. The NVD database should probably refer to this second commit instead. Matt __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: CVE-2014-5139 patch
On Mon, Aug 25, 2014 at 02:27:27PM +0530, sandeep umesh wrote: > Hello users, > > NVD vulnerability database confirms the below link as the patch for > CVE-2014-5139 - > > https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0 > > This is indicating to CVE-2014-2970. > > Where as, the commit for CVE-2014-5139 seems to be - > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=83764a989dcc87fbea337da5f8f86806fe767b7e > > Can someone please confirm the patch for this CVE? Thanks They are mostly the same, but CVE-2014-2970 should not be used: CVE-2014-2970 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality for certain process-bifurcation use cases that might arise in future LibreSSL-based applications. There is no CVE ID associated with this LibreSSL code change. As of 20140730, CVE-2014-5139 is an undisclosed vulnerability in a different product, with ongoing vulnerability coordination that had previously used the CVE-2014-2970 ID. Ciao, Marcus __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CVE-2014-5139 patch
Hello users, NVD vulnerability database confirms the below link as the patch for CVE-2014-5139 - https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0 This is indicating to CVE-2014-2970. Where as, the commit for CVE-2014-5139 seems to be - https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=83764a989dcc87fbea337da5f8f86806fe767b7e Can someone please confirm the patch for this CVE? Thanks Regards, Sandeep