It looks as though CVE-2014-0076 affects OpenSSL 0.9.8-based distributions as
well, correct?
It doesn't appear that the fix has been applied to the OpenSSL_0_9_8-stable
branch yet though. I suppose it might need a few tweaks to apply there
cleanly...
Thanks.
OpenSSL removes the RSA/MD5 combination from the tls12_sigalgs[] table in the
tls12_get_req_sig_algs() function when FIPS mode is in effect. (This reduced
set of signature/hash algorithm pairs is used to fill in the
supported_signature_algorithms field in the TLS 1.2 Certificate Request
How does one find the diffs corresponding to the fixes (on the 0.9.8 line) for
today's CVEs using the git web interface?
Thanks.
__
OpenSSL Project http://www.openssl.org
Development Mailing List