[26519] in bugtraq
Re: OpenSSL Vulnerabilities
daemon@ATHENA.MIT.EDU (troy)
Fri Aug 2 14:27:06 2002
Date: Thu, 1 Aug 2002 23:34:53 -0700
From: troy <fryman@sonic.net>
To: bugtraq@securityfocus.com
Cc: Tina Bird <tbird@precision-guesswork.com>
Message-ID: <20020801233453.A32620@sonic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020731212743.I31724-100000@sisyphus.iocaine.com>
On Wed, Jul 31, 2002 at 09:29:14PM +0000, Tina Bird wrote:
> The vendors listed in the CERT advisory on the OpenSSL vulnerabilities are
> all producing server-side software:
>
> http://www.cert.org/advisories/CA-2002-23.html
>
> Does anyone know if Netscape, Opera, Internet Explorer or any of the other
> browsers are vulnerable to these issues?
>
This from a post by Opera developer Espen Sand on news://opera.linux :
> From: Espen Sand <espen@opera.com>
> Newsgroups: opera.linux
> Subject: Re: openssl bug also in Opera?
> Date: Wed, 31 Jul 2002 15:37:17 +0200
> Message-ID: <3D47E80D.93BA4EE6@opera.com>
> References: <3D47BD5D.A2A03F8F@informatik.uni-kiel.de>
>
> Frank Steiner wrote:
> >
> > Hi,
> >
> > is Opera affected by the openssl bug that was just announced, or do you use
> > a different SSL implementation?
>
> I asked our security master and here is the reply:
>
> <reply>
> The only relevant part for Opera is the ANS1 issue in the second advisory.
> The other information concerns their SSL implementation, code that we are
> not using at all.
>
> I have the relevant patches but I do not believe the patches are vital for
> anything but 64-bit systems. The affected buffers in our code are 16 bytes
> long, and would in the patched version become 12 bytes long for 32 bit
> ints/longs and pointers.
>
> These problems will in any case be fixed when I upgrade to the newest
> OpenSSL 0.9.7 release (presently in beta 3) on main branch.
> </reply>
>
>
> --
> Espen Sand
> espen@opera.com
hth
-troy
