Re: OpenSSL 0.9.8h available.

[Fyodor <fyodor () insecure org>]

On Sun, Jun 01, 2008 at 05:14:40PM +0100, jah wrote:
> On 01/06/2008 16:13, Kris Katterjohn wrote:
> >   
> It's broken. The dlls don't seem to be statically linked against MSVCR80
> (according to depends.exe) and nmap fails to initialise on a clean XP
> install (I've got the standalone runtime installed on my main machine
> and there, ssl is working as before).
> I've tried building OpenSSL again, but I get the same result.  I notice
> that libeay32.dll is about 32K smaller than it was before...
> I'm a bit pressed for time at the moment, but intend to have a closer
> look in a couple of hours.

Thanks for testing, Jah.  Did you check if the previous version works
on that new build machine?  Kris' SSL update seems to work on my
Windows XP SP2 box.  But I'll release 4.65 without the upgrade to
allow for further testing.  The OpenSSL security issues don't have any
code execution risks AFAICT.  It looks like, at worst, a malicious SSL
server could possibly cause Windows Nmap to crash if Nmap tries
version detection against that server.

Cheers,
-F

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org