Date: Fri, 23 Mar 2012 17:26:23 +0100 From: Jan Lieskovsky <jlieskov@...hat.com> To: Marcus Meissner <meissner@...e.de> CC: oss-security@...ts.openwall.com, inestlerode@...ibm.com, Tomas Mraz <tmraz@...hat.com> Subject: Re: openssl security issue or not? (CVE Request?) Hi Marcus, below is the previous reply from Tomas Mraz, Red Hat openssl package maintainer due these: http://cvs.openssl.org/chngview?cn=22161 https://bugzilla.novell.com/show_bug.cgi?id=749210 >> I do not think this is really security sensitive bug - at worst the >> decryption output will be empty or some bogus gibberish. Decryption is >> not authentication on itself. Hope this helps. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team On 03/23/2012 05:13 PM, Marcus Meissner wrote: > Hi folks, Ivan, > > This patch: > http://cvs.openssl.org/chngview?cn=22161 > fixes a decrypt error return values and according to the changelog > "detects symmetric crypto errors" > > I am not sure if this counts as security issue in the end, but "not > detecting a failed decrypt" seems to me like it is a security issue. > > Any comments? > > Ciao, Marcus > (also https://bugzilla.novell.com/show_bug.cgi?id=749210 )
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.