OpenSSL/SSH 0.9.7d for FC2

Satish Balay balay at fastmail.fm
Mon Jul 19 19:03:58 UTC 2004



On Mon, 19 Jul 2004, Charles Heselton wrote:

> While it's entirely  possible that I'm just getting confused on
> version number between OpenSSL and OpenSSH, these are the CVE #'s that
> I was looking to update:
>
> CAN-2004-0079 - Null-pointer assignment during SSL handshake
> CAN-2004-0112 - Out-of-bounds read affects Kerberos ciphersuites
> CAN-2004-00811- OpenSSL 0.9.6 before 0.9.6d infinite loop vulnerability
>
> The resolution we chose at work was to upgrade to 0.9.7d.  I was
> looking to do the same for my FC2 box at home.

On FC2 - I get:

[root at localhost root]# rpm -q openssl 
openssl-0.9.7a-35 
[root at localhost root]# rpm -q openssl --changelog |grep CAN
- add security fixes for CAN-2004-0079, CAN-2004-0112
- add security fixes for protocol parsing bugs (CAN-2003-0543, CAN-2003-0544)
   and heap corruption (CAN-2003-0545)
   attack (CAN-2003-0131)
   (CAN-2003-0147)
- add patch for CAN-2003-0078, fixing a timing attack
[root at localhost root]#

The changelog lists CAN-2004-0079 & CAN-2004-0112 - but not
CAN-2004-0081. Not sure why. However it is listed in the announcement ..

http://www.redhat.com/archives/fedora-announce-list/2004-March/msg00020.html

Satish





More information about the users mailing list