On 25/08/14 09:57, sandeep umesh wrote: > Hello users, > > NVD vulnerability database confirms the below link as the patch for > CVE-2014-5139 - > > https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=80bd7b41b30af6ee96f519e629463583318de3b0 > > This is indicating to CVE-2014-2970. > > Where as, the commit for CVE-2014-5139 seems to be - > https://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=83764a989dcc87fbea337da5f8f86806fe767b7e > > Can someone please confirm the patch for this CVE? Thanks
CVE-2014-5139 had an id change during its development. It was originally known as CVE-2014-2970, but before it was released this was changed to CVE-2014-5139. All references to CVE-2014-2970 should have been changed to CVE-2014-5139 but apparently this one got missed. Essentially CVE-2014-2970 and CVE-2014-5139 should be considered synonymous within OpenSSL. The two commits that you have identified are on different branches (thanks to Kurt for pointing this out to me). The first commit is on the master branch, and is the fix for dev versions of OpenSSL. It has also been backported to the 1.0.2 beta branch in git. However it does not, as yet, appear in any released version of OpenSSL. The second commit is the version for the 1.0.1 branch in git. This is the patch that has been applied in 1.0.1i. The NVD database should probably refer to this second commit instead. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
