Re: OpenSSL Vulnerabilities

[troy <fryman () sonic net>]

On Wed, Jul 31, 2002 at 09:29:14PM +0000, Tina Bird wrote:
> The vendors listed in the CERT advisory on the OpenSSL vulnerabilities are
> all producing server-side software:
>
> http://www.cert.org/advisories/CA-2002-23.html
>
> Does anyone know if Netscape, Opera, Internet Explorer or any of the other
> browsers are vulnerable to these issues?

This from a post by Opera developer Espen Sand on news://opera.linux :

> From: Espen Sand <espen () opera com>
> Newsgroups: opera.linux
> Subject: Re: openssl bug also in Opera?
> Date: Wed, 31 Jul 2002 15:37:17 +0200
> Message-ID: <3D47E80D.93BA4EE6 () opera com>
> References: <3D47BD5D.A2A03F8F () informatik uni-kiel de>
>
> Frank Steiner wrote:
> > Hi,
> >
> > is Opera affected by the openssl bug that was just announced, or do you use
> > a different SSL implementation?
>
> I asked our security master and here is the reply:
>
> <reply>
> The only relevant part for Opera is the ANS1 issue in the second advisory. 
> The other information concerns their SSL implementation, code that we are 
> not using at all.
>
> I have the relevant patches but I do not believe the patches are vital for 
> anything but 64-bit systems. The affected buffers in our code are 16 bytes 
> long, and would in the patched version become 12 bytes long for 32 bit 
> ints/longs and pointers.
>
> These problems will in any case be fixed when I upgrade to the newest 
> OpenSSL 0.9.7 release (presently in beta 3) on main branch.
> </reply>
>
>
> -- 
> Espen Sand
> espen () opera com

hth
-troy