[Pkg-openssl-devel] CVE-2007-4995 and CVE-2007-5135
Bennet Fauber
bennet at umich.edu
Tue Mar 11 21:43:36 UTC 2008
Sorry to bother you with questions. We've found a great deal of confusion
about the two vulnerabilities CVE-2007-4995 and CVE-2007-5135. These were
reported in the same addvisory from openssl,
http://www.openssl.org/news/secadv_20071012.txt
on Oct 12, 2008. The two bugs appear to affect slightly different sets of
openssl versions, and they both appear to be off-by-one errors. I think I
see that one, CVE-2007-5135, which was off-by-one in the
SSL_get_shared_ciphers() function from the changelog, but I don't see any
reference to CVE-2007-4995 which may not have been reported until Oct.
The second of these affects DTLS, and I have been unable to find anyplace
where DTLS is actually used, so it may not matter much.
But, there is a security department sending me nagging letters, so I
thought I would ask whether you know anything about that second bug and
whether it is likely to be addressed?
Thanks, -- bennet
--
System Administrator
Mathematics Department
University of Michigan
(734) 763-6521
More information about the Pkg-openssl-devel
mailing list