Re: CVE-1999-0428
--On Tuesday, March 3, 2020 5:16 PM -0500 Chris Rhoads wrote: But I've been unable to determine with certainty how the last vulnerability on this list (CVE-1999-0428) was fixed. In my research, I've found a potential OpenSSL update in release 0.9.2b that may have addressed the vulnerability: https://seclists.org/bugtraq/1999/Mar/144. But this security alert message doesn't reference any CVE number. The above email is related to this commit in the OpenSSL source tree: b4cadc6e1343c01b06613053a90ed2ee85e65090 Since it pre-dates the CVE being filed, it has no reference to the CVE itself in the commit. Someone from the OpenSSL project would have to confirm if that is indeed the fix for the above CVE (and if so, then the CVE database needs updating). Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>
CVE-1999-0428
Hi openssl-users, I am researching the known vulnerabilities of open source software that we are considering. According to the NIST NVD web site, the 1.1.1d version of OpenSSL has a few known vulnerabilities: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aopenssl&cpe_product=cpe%3A%2F%3A%3Aopenssl&cpe_version=cpe%3A%2F%3Aopenssl%3Aopenssl%3A1.1.1d It appears most of the vulnerabilities that are listed by NIST can be dismissed since the security vulnerability was actually in an application that uses OpenSSL instead of being in OpenSSL itself. But I've been unable to determine with certainty how the last vulnerability on this list (CVE-1999-0428) was fixed. In my research, I've found a potential OpenSSL update in release 0.9.2b that may have addressed the vulnerability: https://seclists.org/bugtraq/1999/Mar/144. But this security alert message doesn't reference any CVE number. The OpenSSL Vulnerabilities web page ( https://www.openssl.org/news/vulnerabilities.html) doesn't go back to 1999, so it doesn't provide any information regarding this vulnerability. Can anyone point me to OpenSSL documentation that indicates CVE-1999-0428 was fixed? Thanks.