On Mon, 19 Jul 2004, Charles Heselton wrote:
While it's entirely possible that I'm just getting confused on version number between OpenSSL and OpenSSH, these are the CVE #'s that I was looking to update:
CAN-2004-0079 - Null-pointer assignment during SSL handshake CAN-2004-0112 - Out-of-bounds read affects Kerberos ciphersuites CAN-2004-00811- OpenSSL 0.9.6 before 0.9.6d infinite loop vulnerability
The resolution we chose at work was to upgrade to 0.9.7d. I was looking to do the same for my FC2 box at home.
On FC2 - I get:
[root@localhost root]# rpm -q openssl openssl-0.9.7a-35 [root@localhost root]# rpm -q openssl --changelog |grep CAN
- add security fixes for CAN-2004-0079, CAN-2004-0112
- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
and heap corruption (CAN-2003-0545)
attack (CAN-2003-0131)
(CAN-2003-0147)
- add patch for CAN-2003-0078, fixing a timing attack
[root@localhost root]#
The changelog lists CAN-2004-0079 & CAN-2004-0112 - but not CAN-2004-0081. Not sure why. However it is listed in the announcement ..
http://www.redhat.com/archives/fedora-announce-list/2004-March/msg00020.html
Satish
