projects / archaic-openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
End-of-line 'secadv' branch
[archaic-openssl.git] / STATUS
diff --git a/STATUS b/STATUS
deleted file mode 100644 (file)
index 50f24dc..0000000
--- a/STATUS
+++ /dev/null
@@ -1,65 +0,0 @@
-NO CVE
-
-https://rt.openssl.org/Ticket/Display.html?id=3339
-reported=
-public=yes
-
-description=NULL pointer dereference in PKCS7_dataDecode could cause a
-crash.  But note this flaw is in an undocumented API with no known use
-cases.
-
-patched in git
-
-------------------------------------------------------------
-NO CVE
-
-https://rt.openssl.org/Ticket/Display.html?id=2608
-reported=20110923
-public=yes
-
-description=A flaw in the base64 decoder which could cause a
-negative length to be passed to memcpy.  This will likely cause
-a crash if an attacker can cause OpenSSL to parse untrusted
-base64 encoded content.
-
-patched in git
-
-------------------------------------------------------------
-CVE-2014-0198
-
-source=http://marc.info/?l=openssl-dev&m=139905714829179&w=2
-public=yes
-
-http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0198
-https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=3321
-
-Affects 1.0.0* 1.0.1* (not 0.9.8*)
-
-Only where an app enables SSL_MODE_RELEASE_BUFFERS 
-
-patched in git https://github.com/openssl/openssl/commit/3ef477c69f2fd39549123d7b0b869029b46cf989
-
-------------------------------------------------------------
-
-Ben: So, there's the patch sitting in the internal repo. The reporters
-suspect its a non problem because the BUF_mem system allocates enough
-spare memory to avoid an overflow, but I have not had time to verify
-that.
-
-------------------------------------------------------------
-
-Ben: And then there's the triple-handshake issue:
-https://secure-resumption.com/ - first reported in March, but Apple
-have just released a fix, so expect some PR around it.
-
-Probably only an issue for client certs with MITM
-
-------------------------------------------------------------
-NO CVE
-
-reported=20140509 (cloudflare)
-
-primes from RSA keys are left on the heap (which gave heartbleed
-a more serious consequence).  Not a vuln, but worthy hardening fix
-
-------------------------------------------------------------
Unnamed repository; edit this file 'description' to name the repository.