Hi All, We are using OpenSSL version 0.9.8h. We take the security vulnerability fixes from latest release of OpenSSL 0.9.8 series and patch our internally used 0.9.8h.
>From the OpenSSL release 0.9.8za, we took CVE-2014-0224 and merged it our OpenSSL code. But in latest release 0.9.8za, I see that there is a change which seems to be leftover piece of 0224 fix. The doubt is regarding PR#3400. It seems to be the leftover piece of CVE-2014-0224 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224>. Please see the links below. PR#3400 http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=70d923fb0359ed68e59b8c59d1687ebff6f8d952 CVE-2014-0224 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224> http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=410a49a4fa1d2a1a9775ee29f9e40cbbda79c149 Can someone from OpenSSL team confirm if PR#3400 is part of CVE-2014-0224 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224> and we should merge this fix as well? Thanks for your support. Regards, Aditya