On Nov 21, 2011, at 12:01 , Bodo Moeller wrote: > On Mon, Nov 21, 2011 at 10:51 AM, Marco Molteni <mmolt...@cisco.com> wrote: > > The OpenSSL security advisory of 2011-09-06 > (http://www.mail-archive.com/openssl-announce@openssl.org/msg00108.html), > regarding "TLS ephemeral ECDH crashes in OpenSSL" states that the issue, for > branch 0.9.8, applies to "OpenSSL 0.9.8 through 0.9.8s". > > I understand that for branch 0.9.8 the workaround is to "disable ephemeral > ECDH ciphersuites if you have enabled them", and that one should use branch > 1.0.0. I just want to double check the status of the 0.9.8 branch and > understand if it is still maintained or not. > > If I look at the repository for opensslv.h, branch 0.9.8 moved from 0.9.8r > release to 0.9.8s-dev on 2011-02-08, and as of today it is still 0.9.8s-dev. > This means that the day that 0.9.8s becomes release, it will still be > vulnerable to the "TLS ephemeral ECDH crashes in OpenSSL"? Or am I missing > something? Is because by default 0.9.8 doesn't enable ephemeral ECDH ? > > Sorry -- you've found an error in the advisory (which I'm fixing right now, > in the advisory as found at http://www.openssl.org/news/secadv_20110906.txt). > When writing the advisory, I must have thought that 0.9.8s was the latest > released version in that branch, when really that's 0.9.8r. 0.9.8s, when > released, will contain the fixes. > > Bodo >
Hey Bodo, you may want to contact Mitre or equivalent since the CVE still lists 0.9.8s as vulnerable. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3210 marco ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
