On Thu, Dec 02, 2010 at 03:03:02PM -0500, Erik Tkal wrote:
> Can someone point to details on CVE-2010-4180 and CVE-2010-4252?
> CVE-2010-3864 was the reason 1.0.0b was released, but I cannot find any
> references to the other two.
1.0.0c contains important non-security bug fixes for 1.0.0b, so you
should deploy 1.0.0c anyway.
- 4252 is only of interest if enabled the experimental JPAKE support.
It is off by default.
- 4180 resolves a ciphersuite downgrade attack for applications that
use SSL_OP_ALL and thereby enable a work-around for Netscape 2.01
which is disabled in the 1.0.0c release as it creates the cipher
downgrade risk.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
