On Thu, Apr 02, 2009, Shanku Roy wrote: > > http://openssl.org/news/secadv_20090325.txt > > Hello, > Our project here is using OpenSSL version 0.9.8g > > It invokes X509_print_fp() openssl function to print a cert; can > that result in calling of fuction ASN1_STRING_print_ex() that is mentioned in > the "ASN1 printing crash" of above security advisory. > > If yes, is that reason enough to upgade to ver 0.9.8k? > >
Depends... if the certificate comes from a trusted source then you should be OK. If there is any means to print out a certificate from an untrusted source then no. Worst case is that the application will crash. The bug cannot be exploited to run arbitrary code. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
