Hi All, We are currently using openssl 0.9.8 h version in one of our components. I would like to get some additional information about the vulnerability “DTLS invalid fragment vulnerability (CVE-2014-0195)”. I could get the information about all other vulnerabilities that are fixed in 0.9.8 za except this vulnerability at https://www.openssl.org/news/vulnerabilities.html At the above link, it was clearly mentioned about the 0.9.8 versions that are being affected for each of the vulnerabilities. However I could not find any information about CVE-2014-0195 here.
As per my analysis, the DTLS fragment reassembly fixes have been added in openssl 0.9.8 o as part of “PR 2230:Fix various DTLS fragment reassembly bugs”. These fixes does not exist in openssl 0.9.8 h. The vulnerability fix for “CVE-2014-0195” is part of those fixes that were added in 0.9.8 o version. I would like to know if openssl 0.9.8 h is affected for the vulnerability CVE-2014-0195. Appreciate your quick feedback on this. Thanks in advance. regards, -Jay.
