On Mon, Nov 21, 2011 at 10:51 AM, Marco Molteni <mmolt...@cisco.com> wrote:
> The OpenSSL security advisory of 2011-09-06 ( > http://www.mail-archive.com/openssl-announce@openssl.org/msg00108.html), > regarding "TLS ephemeral ECDH crashes in OpenSSL" states that the issue, > for branch 0.9.8, applies to "OpenSSL 0.9.8 through 0.9.8s". > > I understand that for branch 0.9.8 the workaround is to "disable ephemeral > ECDH ciphersuites if you have enabled them", and that one should use branch > 1.0.0. I just want to double check the status of the 0.9.8 branch and > understand if it is still maintained or not. > > If I look at the repository for opensslv.h, branch 0.9.8 moved from 0.9.8r > release to 0.9.8s-dev on 2011-02-08, and as of today it is still > 0.9.8s-dev. This means that the day that 0.9.8s becomes release, it will > still be vulnerable to the "TLS ephemeral ECDH crashes in OpenSSL"? Or am I > missing something? Is because by default 0.9.8 doesn't enable ephemeral > ECDH ? > Sorry -- you've found an error in the advisory (which I'm fixing right now, in the advisory as found at http://www.openssl.org/news/secadv_20110906.txt). When writing the advisory, I must have thought that 0.9.8s was the latest released version in that branch, when really that's 0.9.8r. 0.9.8s, when released, will contain the fixes. Bodo
