Dr. Henson, Can you give me any information with regards to how the exploitation of CVE-2013-6450 against 0.9.8y may manifest itself? If not a DoS, could it cause a process using libssl to core, cause libssl to return an "okay" when it should returned an error status, leak sensitive information, etc.?
Thanks. ----- Original Message ----- > Sent: Thursday, January 16, 2014 1:51 PM > Subject: Re: CVE-2013-6450 and 0.9.8-line > > Oh, okay. Thank you for that tidbit. > > If not a DoS, how does the issue manifest itself in 0.9.8 if an adversary > uses/attempts to use the flaw? > > Thanks. > > > > ----- Original Message ----- >> From: Dr. Stephen Henson <st...@openssl.org> >> To: openssl-users@openssl.org >> Cc: >> Sent: Thursday, January 16, 2014 12:22 PM >> Subject: Re: CVE-2013-6450 and 0.9.8-line >> >> On Thu, Jan 16, 2014, no_spam...@yahoo.com wrote: >> >> >>> It is my understanding that 0.9.8y contains the DTLS retransmission > flaw >>> described in CVE-2013-6450. >>> >> >> It contains the flaw but it is not a DoS issue in 0.9.8. >> >> It's not a trivial fix for 0.9.8 because the DTLS record handling > changed in >> 1.0.0. >> >> Steve. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
