oss-sec mailing list archives
Re: openssl security issue or not? (CVE Request?)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Mar 2012 17:26:23 +0100
Hi Marcus, below is the previous reply from Tomas Mraz, Red Hat openssl package maintainer due these: http://cvs.openssl.org/chngview?cn=22161 https://bugzilla.novell.com/show_bug.cgi?id=749210
I do not think this is really security sensitive bug - at worst the decryption output will be empty or some bogus gibberish. Decryption is not authentication on itself.
Hope this helps. Thanks && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team On 03/23/2012 05:13 PM, Marcus Meissner wrote:
Hi folks, Ivan, This patch: http://cvs.openssl.org/chngview?cn=22161 fixes a decrypt error return values and according to the changelog "detects symmetric crypto errors" I am not sure if this counts as security issue in the end, but "not detecting a failed decrypt" seems to me like it is a security issue. Any comments? Ciao, Marcus (also https://bugzilla.novell.com/show_bug.cgi?id=749210 )
Current thread:
- openssl security issue or not? (CVE Request?) Marcus Meissner (Mar 23)
- Re: openssl security issue or not? (CVE Request?) Jan Lieskovsky (Mar 23)
- Re: openssl security issue or not? (CVE Request?) Ivan Nestlerode (Mar 23)
- Re: Re: openssl security issue or not? (CVE Request?) Marcus Meissner (Mar 23)