On Thu, Apr 19, 2012 at 8:52 AM, Kevin Fowler wrote:
2. I am using OpenSSL/FIPS on a system with /dev/urandom. Although the
rand_unix.c RAND_poll() function is called only once with the released code,
after the system has been up for a bit after reboot, I have assumed that the
read from /dev/u
On Fri, Apr 20, 2012, Roumen Petrov wrote:
> Dr. Stephen Henson wrote:
> >On Wed, Apr 18, 2012, Erik Tkal wrote:
> >
> >>Any takers? Should I be able to build a FIPS-capable OpenSSL and have some
> >>of the implementation be provided via an ENGINE (e.g. let's say I have a
> >>hardware module to
We run a site that uses the F5 Networks BIG-IP load balancer, and OpenSSL 1.0.1
triggers this bug on the load balancer. When it occurs, the load balancer
neither forwards the request to a pool member, nor does it respond to the
OpenSSL client. There are warning messages in the load balancer's
Dr. Stephen Henson wrote:
On Wed, Apr 18, 2012, Erik Tkal wrote:
Any takers? Should I be able to build a FIPS-capable OpenSSL and have some of
the implementation be provided via an ENGINE (e.g. let's say I have a hardware
module to perform AES) but some by the OpenSSL FIPS canister? Or is i
With fixed in http://cvs.openssl.org/chngview?cn=22455. seems compile ok。
--
qun-ying
- Original Message -
> From: zhu qun-ying
> To: "openssl-dev@openssl.org"
> Cc:
> Sent: Thursday, April 19, 2012 2:57:05 PM
> Subject: Re: [openssl.org #2792] Crash in rc4 on x86_64
>
> I encounte
I encounter compilation error when compiling for ARM platform wth OpenSSL
1.0.1a:
make -f ../Makefile.shared -e \
APPNAME=openssl OBJECTS="openssl.o verify.o asn1pars.o req.o dgst.o dh.o
dhparam.o enc.o passwd.o gendh.o errstr.o ca.o pkcs7.o crl2p7.o crl.o rsa.o
rsautl.o dsa.o dsaparam.o ec.o
On Thu, Apr 19, 2012, Erik Tkal wrote:
> The detailed analysis for CVE-2012-2110 implies issues with truncation,
> specifically int vs long vs size_t. Is the problem limited to platforms
> where these are different sizes? The analysis says not limited to I32LP64,
> but does not rule out any plat
This looks simular to the AES problem with had, with a length of 0?
For reference. What was going on was the RC4_set_key was generating
compact key schedule on Intel legacy CPU, while rc4_md5_enc was treating
as non-compact with 32-bit elements. As results it was messed up in such
way that in
The detailed analysis for CVE-2012-2110 implies issues with truncation,
specifically int vs long vs size_t. Is the problem limited to platforms where
these are different sizes? The analysis says not limited to I32LP64, but does
not rule out any platforms where it is not an issue. Can it occur
On Thu, Apr 19, 2012 at 09:08:48PM +0200, Kurt Roeckx wrote:
> On Wed, Apr 18, 2012 at 08:04:28PM +0200, Andy Polyakov via RT wrote:
> > > I've had 2 users report a crash in RC4() on x86_64. The
> > > backtrace looks like:
> > > #0 RC4 () at rc4-x86_64.s:343
> > > #1 0x012d in ?? ()
On Wed, Apr 18, 2012 at 08:04:28PM +0200, Andy Polyakov via RT wrote:
> > I've had 2 users report a crash in RC4() on x86_64. The
> > backtrace looks like:
> > #0 RC4 () at rc4-x86_64.s:343
> > #1 0x012d in ?? ()
> > #2 0x00df in ?? ()
> > #3 0x020b5660 in ?? ()
A couple of questions on Thor's proposed patch:
1. There has been no discussion - does that imply a passive acceptance or
passive rejection?
2. I am using OpenSSL/FIPS on a system with /dev/urandom. Although the
rand_unix.c RAND_poll() function is called only once with the released
code, after th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
OpenSSL Security Advisory [19 Apr 2012]
===
ASN1 BIO vulnerability (CVE-2012-2110)
===
A potentially exploitable vulnerability has been discovered in the OpenSSL
function asn1_d2
Hi,
The problem is fixed with your patch. Thank you!
Regards,
Cédric Marie.
>
> De : Andy Polyakov via RT
>À : cedric.ma...@yahoo.fr
>Cc : openssl-dev@openssl.org
>Envoyé le : Jeudi 19 avril 2012 8h48
>Objet : Re: [openssl.org #2793] bug report : SCRIPTS en
14 matches
Mail list logo
