Hi, I'm a student and I've been doing some security testing of a VPN
from a rather large vendor as part of a school project. During my
mapping of the VPN, I discovered the version of OpenSSL that they are
distributing is "0.9.8h-fips-dev 19 mar 2008" As I understand it, that
makes this a development branch, I presume compiled on March 19, 2008
(please correct me if I am wrong!)
I am wondering how I could determine, with only access to the compiled
binary, if this version has any missing security fixes (much of the
company's product is Debian based, however I already did check and the
keys it generates do not appear on the blacklists of known bad keys, so
I believe OpenSSL is a direct compile rather then a Debian download) I
know there were security announcements after that date, and that 0.9.8h
was not officially released until late May, hence my concern.
Thanks in advance for any input!
Sam Lavitt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
