Am I reading the changes file correctly: if you don't use Kerberos, then this vulnerability doesn't apply?
Thanks, Paul ___________________________________ Paul A. Suhler | Firmware Engineer | Quantum Corporation | Office: 949.856.7748 | [email protected] ___________________________________ Disregard the Quantum Corporation confidentiality notice below. The information contained in this transmission is not confidential. Permission is hereby explicitly granted to disclose, copy, and further distribute to any individuals or organizations, without restriction. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Bodo Moeller Sent: Thursday, March 25, 2010 11:40 AM To: [email protected] Subject: Re: OpenSSL Security Advisory On Mar 25, 2010, at 6:33 PM, Jean-Marc Desperrier wrote: > OpenSSL wrote: >> "Record of death" vulnerability in OpenSSL 0.9.8f through 0.9.8m > > How comes the vulnerability doesn't touch 0.9.8e though the patched > file wasn't modified between 0.9.8e and 0.9.8f ? > > But that code was modified between 0.9.8d and 0.9.8e, see this patch : > http://cvs.openssl.org/filediff?f=openssl/ssl/s3_pkt.c&v1=1.60&v2=1.61 > > Could it be a reference mistake and that this vulnerability is from > 0.9.8e through 0.9.8m ? No, it's not a mistake -- it's code elsewhere that no longer tolerates the coarse logic we are changing in the patch, which has been around forever. Bodo ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
