On 12/03/2014 00:30, Dr Stephen Henson wrote: > > The fix was applied on Feb 11 2013. That would mean that official releases > affected would be 0.9.8y, 1.0.0j and 1.0.1c. Any later official release should > include the fix but we weren't planning to make any more 0.9.8 official > releases > though a 0.9.8 snapshot should include the fix. > > OS specific versions of OpenSSL might not have included the fix. This is the > actual diff: > > http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=147dbb2fe3bead7a10 >
It looks like the only case this can happen is ssl_init_server_certs where an SSL structure is created, SSL_get_certificate called and then it is freed. If so then calling SSL_set_connect_state before the SSL_get_certificate call is a potential workaround. This works because the faulty code isn't used by SSL structures where ssl->server == 0 and SSL_set_connect_state does that, among other things. This is a bit of a hack because it's called on a server SSL structure. This would probably fail horribly if an attempt was made to use the SSL structure but in this case we're freeing it up immediately so this should hopefully not matter. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com
