Mention client auth hijack for earlier servers.

[archaic-openssl.git] / STATUS

NO CVE

https://rt.openssl.org/Ticket/Display.html?id=3339
reported=
public=yes

description=NULL pointer dereference in PKCS7_dataDecode could cause a
crash.  But note this flaw is in an undocumented API with no known use
cases.

patched in git

------------------------------------------------------------
NO CVE

https://rt.openssl.org/Ticket/Display.html?id=2608
reported=20110923
public=yes

description=A flaw in the base64 decoder which could cause a
negative length to be passed to memcpy.  This will likely cause
a crash if an attacker can cause OpenSSL to parse untrusted
base64 encoded content.

patched in git

------------------------------------------------------------
CVE-2014-0198

source=http://marc.info/?l=openssl-dev&m=139905714829179&w=2
public=yes

http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0198
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321

Affects 1.0.0* 1.0.1* (not 0.9.8*)

Only where an app enables SSL_MODE_RELEASE_BUFFERS 

patched in git https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989

------------------------------------------------------------

Ben: So, there's the patch sitting in the internal repo. The reporters
suspect its a non problem because the BUF_mem system allocates enough
spare memory to avoid an overflow, but I have not had time to verify
that.

------------------------------------------------------------

Ben: And then there's the triple-handshake issue:
https://secure-resumption.com/ - first reported in March, but Apple
have just released a fix, so expect some PR around it.

Probably only an issue for client certs with MITM

------------------------------------------------------------
NO CVE

reported=20140509 (cloudflare)

primes from RSA keys are left on the heap (which gave heartbleed
a more serious consequence).  Not a vuln, but worthy hardening fix

------------------------------------------------------------