On 08/08/14 12:26, Matt Caswell wrote:
> Hi Jaya > > CVE-2014-3505 has two sites which are affected by the same problem > (either of these can be present for the issue to occur). One > of these is dtls1_reassemble_fragment, which you rightly say was not > introduced until 0.9.8o. However the other site is in > dtls1_process_out_of_seq_message. This issue was introduced in 0.9.8m. > Therefore 0.9.8 - 0.9.8l are not affected. > > CVE-2014-3506 primarily addresses issues in dtls1_reassemble_fragment. > However it does also address a problem in the non-fragmented case where > there was no check for the maximum handshake message size, and this > problem also exists in 0.9.8. Therefore 0.9.8 is still affected. > > CVE-2014-3507 deals with an issue where zero length fragments result in > a memory leak due to a flaw in the logic regarding reassembling > fragments. Since this logic does not exist in 0.9.8 - 0.9.8n, you are > correct that they are not affected. > > I will correct the Security Advisory and the vulnerabilities page with > regards to CVE-2014-3505 and CVE-2014-3507. I have updated the vulnerabilities page (should show on the web site soon). I haven't updated the Security Advisory as I think the advice is still correct (0.9.8 users are advised to upgrade to 0.9.8zb). As noted in another thread CVE-2014-3507 only applies to 0.9.8o onwards and 1.0.0a onwards (i.e. not 1.0.0). Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
