Hi, I just tripped across this same problem yesterday. Which modules is it? I'd like to fix this for OpenVMS.
Paul -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of dalini Sent: Thursday, October 14, 2004 7:17 PM To: [EMAIL PROTECTED] Subject: openssl 0.9.7d as an security risk hi folks, i'm not that familiar with your release policy and your definition of security and security-risks but i have a real certain issue about 0.9.7d as far as i understand the release policy there will be new releases for openssl 0.9.7 only in case of security problems with the software and so there will be bugfixes in cvs but no new releases untill a security related problem gets fixed you as the developers may be familiar with the current situation of 0.9.7d i guess, and therefore will know that the pkcs#7 part of openssl 0.9.7d is broken in the release but fixed (actually 10 days after it) in the cvs branch of 0.9.7 as far as i understand, you don't consider the broken pkcs#7 not a security risk or break in terms of openssl thats the point, where i really get stuck on your definitions of security, security risks and safty of operational systems, it is for me quite wired to be honest... so everybody who relies on pkcs#7 operations - and uses a openssl version prior to 0.9.7d and will update, will just break of his whole security infrastructure because he maybe does some suggested updates to 0.9.7d (becouse this fixes several security issues) and therefore will kill themself instandly of course, everybody should do tests before he upgrades sensetive parts of its infrastructure and so on... but a lot of current packages use openssl-0.9.7d since its the stable version, so on new systems you always have to patch the 'stable' and 'working' openssl, also a lot of projects that relay on openssl as the base library have to bring a huge ammount in support just to make users clear - DONT USE 0.9.7d - because its broken per default on the pkcs#7 part... the point is, usaly everybody doesn't start to search for failures at an as stable decleared part of software... and so i really would like to see a new release of openssl 0.9.7 because this is no trustable situation actually - since one can't relay on openssl stable releases and therefore on all published packages from distributions which may be use 0.9.7d and i really can't undestand how you can spread a broken software, even if it may be no security risk in the first view, but actually i would call this a security risk greetings dalini ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]