Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4F6CA42F.5040306@redhat.com>
Date: Fri, 23 Mar 2012 17:26:23 +0100
From: Jan Lieskovsky <jlieskov@...hat.com>
To: Marcus Meissner <meissner@...e.de>
CC: oss-security@...ts.openwall.com, inestlerode@...ibm.com,
        Tomas Mraz <tmraz@...hat.com>
Subject: Re: openssl security issue or not? (CVE Request?)

Hi Marcus,

   below is the previous reply from Tomas Mraz, Red Hat openssl package
maintainer due these:
http://cvs.openssl.org/chngview?cn=22161
https://bugzilla.novell.com/show_bug.cgi?id=749210

>> I do not think this is really security sensitive bug - at worst the
>> decryption output will be empty or some bogus gibberish. Decryption is
>> not authentication on itself.

Hope this helps.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On 03/23/2012 05:13 PM, Marcus Meissner wrote:
> Hi folks, Ivan,
>
> This patch:
> http://cvs.openssl.org/chngview?cn=22161
> fixes a decrypt error return values and according to the changelog
> "detects symmetric crypto errors"
>
> I am not sure if this counts as security issue in the end, but "not
> detecting a failed decrypt" seems to me like it is a security issue.
>
> Any comments?
>
> Ciao, Marcus
> (also https://bugzilla.novell.com/show_bug.cgi?id=749210 )

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.