It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based distributions as
well, correct?
It doesn't appear that the fix has been applied to the OpenSSL_0_9_8-stable
branch yet though. I suppose it might need a few tweaks to apply there
cleanly...
Thanks.
Hi all,
We use the OpenSSL FIPS Object Module v.2.0, but are not allowed anymore (as of
the start of this year) to submit new product for validation because the RSA
implementation is only FIPS 186-2 compliant. Based on extensive review and
research it seems to be possible to patch the RSA key
On Wed, 26 Mar 2014 06:55:41 + geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Yes, 0.9.8y also uses the same Lopez/Dahab algo when computing
elliptic scalar mult on curves defined over binary fields
(i.e. GF(2^m)).
On Tue, Mar 25, 2014, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based distributions as
well, correct?
Yes that's correct but we weren't planning on making any more 0.9.8 releases.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
On Tue, Mar 25, 2014 at 09:23:58PM +, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Isn't this an ECDSA issue? I thought that EC algorithms are by
default disabled in OpenSSL 0.9.8 (require explicit ECCdraft in
On Wed, Mar 26, 2014, Viktor Dukhovni wrote:
On Tue, Mar 25, 2014 at 09:23:58PM +, geoff_l...@mcafee.com wrote:
It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based
distributions as well, correct?
Isn't this an ECDSA issue? I thought that EC algorithms are by
default
On 03/26/2014 12:30 PM, Mark Hatle wrote:
Looking at the fips_canister.c I see that ia32 (32-bit and 64-bit)
systems are not enabled with the cross compiling when using 'Linux'.
But ia32 (32-bit) is enabled on Android systems.
This is preventing me from cross compiling and using the fipsld
Dr. Stephen Henson steve at openssl.org writes:
On Wed, Mar 26, 2014, Viktor Dukhovni wrote:
Perhaps given the number of post-0.9.8y commits pending on the
OpenSSL_0_9_8-stable branch, one final z release could be issued,
no more commits made after that, and plans to not make any further
On 3/26/14, 2:41 PM, Steve Marquess wrote:
On 03/26/2014 12:30 PM, Mark Hatle wrote:
Looking at the fips_canister.c I see that ia32 (32-bit and 64-bit)
systems are not enabled with the cross compiling when using 'Linux'.
But ia32 (32-bit) is enabled on Android systems.
This is preventing me