Ah, this is what I get for not examining the headings more closely.
Hey, Dr. Steve, have you run the ASN.1 test suite against CryptoAPI? I remember there was a buffer overrun problem in the ASN.1 code therein about a year ago... (I'm also curious, do you know if NISCC's planning on making that test suite publicly available?) Thanks! -Kyle H On 9/29/06, Brad House <[EMAIL PROTECTED]> wrote:
> The security advisory only has 3 security issues referenced within it, > though it mentions 4 security fixes. Is the fourth one the "RSA > signature with modulus 3 forgery" issue fixed in 0.9.8c and 0.9.7k? No, look closer, the first one (ASN.1 Denial of Service Attacks [yes, plural]), has two advisories, CVE-2006-2937 and CVE-2006-2940. Then obviously there is the buffer overflow (CVE-2006-3738) and the SSLv2 client crash (CVE-2006-4343). -Brad ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
