Leo Famulari <l...@famulari.name> skribis: > On Sun, Jun 12, 2016 at 10:49:23PM +0200, Ludovic Courtès wrote: >> Leo Famulari <l...@famulari.name> skribis: >> > CVE-2016-2177 >> > http://seclists.org/oss-sec/2016/q2/500 >> > >> > CVE-2016-2178 >> > http://seclists.org/oss-sec/2016/q2/493 >> > >> > Should we try cherry-picking the upstream commits from the OpenSSL >> > development repo? >> >> Sounds like it. Could you look into it? > > I've attached my patch. > > According to OpenSSL's security policy [0], they seem to consider these > bugs to be "LOW severity", since they did not keep them private or issue > a new release, or even an advisory [1]. > > There is also some discussion of the severity in this thread: > http://seclists.org/oss-sec/2016/q2/493 > > So, perhaps it's not worth the risk of cherry-picking these commits out > of context, at least not without asking the upstream maintainers. > > Thoughts?
I don’t feel qualified to judge the severity of the bug (they do seem hard to exploit, but I’m no expert.) Since you’ve already done the work, I think we should simply apply those fixes. Makes sense? Thank you! Ludo’.
