Hi All, We are using openSSL 0.9.8d and want to confirm if we are vulnerable to CVE-2014-0195 and if there is a patch for the same.
Thanks in advance, Venkat From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Jaya Nageswar Sent: Monday, June 09, 2014 7:13 PM To: openssl-users@openssl.org Subject: OpenSSL Vulnerability CVE-2014-0195 Hi All, We are currently using openssl 0.9.8 h version in one of our components. I would like to get some additional information about the vulnerability “DTLS invalid fragment vulnerability (CVE-2014-0195)”. I could get the information about all other vulnerabilities that are fixed in 0.9.8 za except this vulnerability at https://www.openssl.org/news/vulnerabilities.html At the above link, it was clearly mentioned about the 0.9.8 versions that are being affected for each of the vulnerabilities. However I could not find any information about CVE-2014-0195 here. As per my analysis, the DTLS fragment reassembly fixes have been added in openssl 0.9.8 o as part of “PR 2230:Fix various DTLS fragment reassembly bugs”. These fixes does not exist in openssl 0.9.8 h. The vulnerability fix for “CVE-2014-0195” is part of those fixes that were added in 0.9.8 o version. I would like to know if openssl 0.9.8 h is affected for the vulnerability CVE-2014-0195. Appreciate your quick feedback on this. Thanks in advance. regards, -Jay.
