Thanks for your response. How do I get a patch for just this issue which I can use to update? -- regards, Shanku Roy
--- On Thu, 4/2/09, Dr. Stephen Henson <st...@openssl.org> wrote: From: Dr. Stephen Henson <st...@openssl.org> Subject: Re: ASN1 printing crash: Security Advisory -- 25-Mar-2009 To: openssl-users@openssl.org Date: Thursday, April 2, 2009, 1:29 PM On Thu, Apr 02, 2009, Shanku Roy wrote: > > http://openssl.org/news/secadv_20090325.txt > > Hello, > Our project here is using OpenSSL version 0.9.8g > > It invokes X509_print_fp() openssl function to print a cert; can that result in calling of fuction ASN1_STRING_print_ex() that is mentioned in the "ASN1 printing crash" of above security advisory. > > If yes, is that reason enough to upgade to ver 0.9.8k? > > Depends... if the certificate comes from a trusted source then you should be OK. If there is any means to print out a certificate from an untrusted source then no. Worst case is that the application will crash. The bug cannot be exploited to run arbitrary code. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
