Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: openssl security issue or not? (CVE Request?)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Fri, 23 Mar 2012 17:26:23 +0100

Hi Marcus,

  below is the previous reply from Tomas Mraz, Red Hat openssl package
maintainer due these:
http://cvs.openssl.org/chngview?cn=22161
https://bugzilla.novell.com/show_bug.cgi?id=749210

I do not think this is really security sensitive bug - at worst the
decryption output will be empty or some bogus gibberish. Decryption is
not authentication on itself.

Hope this helps.

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

On 03/23/2012 05:13 PM, Marcus Meissner wrote:
Hi folks, Ivan,

This patch:
http://cvs.openssl.org/chngview?cn=22161
fixes a decrypt error return values and according to the changelog
"detects symmetric crypto errors"

I am not sure if this counts as security issue in the end, but "not
detecting a failed decrypt" seems to me like it is a security issue.

Any comments?

Ciao, Marcus
(also https://bugzilla.novell.com/show_bug.cgi?id=749210 )


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault