On Wed, Mar 26, 2014, Viktor Dukhovni wrote: > On Tue, Mar 25, 2014 at 09:23:58PM +0000, geoff_l...@mcafee.com wrote: > > > It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based > > distributions as well, correct? > > Isn't this an ECDSA issue? I thought that EC algorithms are by > default disabled in OpenSSL 0.9.8 (require explicit ECCdraft in > cipherlist to enable and do not appear in either DEFAULT or ALL). >
Certainly for TLS ECC ciphersuites are disabled by default in OpenSSL 0.9.8 though applications might use ECC for other purposes. > Perhaps given the number of post-0.9.8y commits pending on the > OpenSSL_0_9_8-stable branch, one final "z" release could be issued, > no more commits made after that, and plans to not make any further > releases announced? > That sounds reasonable to me. Though it would be version 0.9.8za. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org