As many people have already noticed and mentioned, s/-13/-31/g in the CVE numbers assigned as part of the great CVE game.
No, I can't "change the announcement" as I can't go edit the internet to change public mailing list archives.. The CVE numbers are correct in the patches and everywhere else that matters. On Thu, Dec 3, 2015 at 11:01 PM, Bob Beck <[email protected]> wrote: > > Four new OpenSSL CVE's were released today, which OpenSSL deemed to be > not of sufficient severity to warrant advance disclosure. > > OpenBSD/LibreSSL is not vulnerable to two of these CVE's. > > CVE-2015-1393: Recently introduced in OpenSSL only. We did not merge > this because it gave miod@ a bad feeling. > > CVE-2015-1394: NULL pointer dereference in client side certificate > validation. It was reported to OpenSSL on Aug 27, 2015, and kept > secret from the community until Dec 3, 2015 by OpenSSL and the > reporter of the bug. > > CVE-2015-1395: Memory leak in PKCS7 - not reachable from TLS/SSL > > CVE-2015-1396: String handling bug in code we deleted long ago, using > a function that all uses of which were flensed from LibreSSL shortly > after it's creation. > > Fixes have been commited for both CVE-2015-1394 and CVE-2015-1395. > CVE-2015-1394 warrants an errata. > > The errata for CVE-2015-1394 is available for OpenBSD 5.8 and OpenBSD > 5.7 from the master site as well as the mirrors: > > http://ftp.openbsd.org/pub/OpenBSD/patches/5.8/common/009_clientcert.patch.sig > http://ftp.openbsd.org/pub/OpenBSD/patches/5.7/common/021_clientcert.patch.sig
