Reputation: 353
Is OpenSSL 0.9.8h affected by CVE-2014-0195?
I have spent time on finding out if OpenSSL 098h is affected by the CVE-2014-0195 ..but it seems I will have to understand the entire file d1_both.c to answer this question.
1) Preliminary look at patch released looks like 0.9.8h is not vulnerable to above CVE since all the fragment reassembly stuff was addded in 0.9.8o. And the patch is all about fragment reassembly.
The function dtls1_reassembly_fragment() is missing in 098h, so one may assume we are okay
2) But closer examination show that bug is about not checking the 'actual size of fragment' against the 'fragment length stored in the header of fragment'
Any help is much appreciated while I continue with the understanding the code flow.
Upvotes: 0
Views: 156
Answers (2)
Reputation: 353
As per https://www.openssl.org/news/vulnerabilities.html published 23th June 2014 .. OpenSSL 0.9.8h is not affected by CVE-2014-0195.
Only OpenSSL version 0.9.8o & above are affected
Upvotes: 0
Reputation: 4514
According to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195 0.9.8h is a vulnerable version. I would probably trust the advisory more than my code intropection skills :)
Upvotes: 1
Related Questions
- "bad packet length" error after updating to OpenSSL 0.9.8.zf
- Is the Ubuntu trusty public repo hosting a heartbleed vulnerable openssl version?
- Does OpenSSL supports ECDHE-ECDSA-AES128-CCM8 for DTLS1.2 or TLS1.2?
- openssl support for DTLS v1.2
- OpenSSL ClientHello fails in latest version
- Is the SSL now obsolete?
- Deprecated OpenSSL functionality
- OpenSSL_Random_Psuedo_Bytes: Is it Affected By Heartbleed?
- OpenSSL version 0.96d or later
- Is libssl version 0.9.8e compatible with 0.9.7a?