On Thu, Jul 09, 2015 at 01:13:30PM +, Salz, Rich wrote:
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
In other words, if you are not using those specific releases -- i.e., the
ones that came out less than 30 days ago -- you do not need to upgrade.
More
Perhaps something like the CVE vectors, that others have suggested?
https://nvd.nist.gov/CVSS/Vector-v2.aspx
It's (a bit?) extra work while getting the release out, so it would be good to
hear enthusiastic support for this :)
--
Senior Architect, Akamai Technologies
IM: richs...@jabber.at
On 7/9/15, 15:06 , openssl-dev on behalf of Salz, Rich
openssl-dev-boun...@openssl.org on behalf of rs...@akamai.com wrote:
Perhaps something like the CVE vectors, that others have suggested?
https://nvd.nist.gov/CVSS/Vector-v2.aspx
I’d say it makes sense, and would be useful.
It's (a bit?)
Hi.
Vulnerability tester for CVE-2015-1793 (alternative chains certificate
forgery) based on Matt Caswell's test now available:
https://twitter.com/mancha140/status/619316033241923585
--mancha
pgp5yz3YFF0V2.pgp
Description: PGP signature
___
it would also be nice to have a bug-ID/CVE to track and organize the
upgrades.
The concern is that people would then start trying to find the CVE descriptions
which aren't available yet.
___
openssl-dev mailing list
To unsubscribe:
Hello,
it would also be nice to have a bug-ID/CVE to track
and organize the upgrades.
Best regards,
rm
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
On Thu, Jul 09, 2015 at 09:44:51 +0200, Ralph J.Mayer wrote:
it would also be nice to have a bug-ID/CVE to track
and organize the upgrades.
The actual OpenSSL release announcement/notes usually include the CVE
IDs. Though I guess it might be nice in some organizations to have
them early, even
On 9 July 2015 at 12:21, Salz, Rich rs...@akamai.com wrote:
it would also be nice to have a bug-ID/CVE to track and organize the
upgrades.
The concern is that people would then start trying to find the CVE
descriptions which aren't available yet.
Given that NVD is generally quite slow
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.2d released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.2d of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL version 1.0.1p released
===
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 1.0.1p of our open source
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [9 Jul 2015]
===
Alternative chains certificate forgery (CVE-2015-1793)
==
Severity: High
During certificate verification, OpenSSL
This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.
In other words, if you are not using those specific releases -- i.e., the ones
that came out less than 30 days ago -- you do not need to upgrade.
___
openssl-dev mailing list
Request: Bug Report
Hello,
I recently compiled OpenSSL 1.0.2(c,d) for Solaris 5.10 using GCC 4.8.2 on an
UltraSPARC 45 and our group tested it on several different types of other
systems (V245, T4, T3, etc...) and it runs as expected on all systems except
the T3 where it hangs - even for a
Hi Rick,
Can you run the truss(1) command when you run openssl version as follows?
i.e.
% truss -lf -u libcrypto:: -u libpkcs11:: -o /tmp/truss.out openssl version
The output will tell you more information about the function calls made
by the openssl(1) application.
Thank you,
-- misaki
14 matches
Mail list logo