Ah, this is what I get for not examining the headings more closely.

Hey, Dr. Steve, have you run the ASN.1 test suite against CryptoAPI?
I remember there was a buffer overrun problem in the ASN.1 code
therein about a year ago...

(I'm also curious, do you know if NISCC's planning on making that test
suite publicly available?)

Thanks!

-Kyle H

On 9/29/06, Brad House wrote:
> > The security advisory only has 3 security issues referenced within it,
> > though it mentions 4 security fixes. Is the fourth one the "RSA
> > signature with modulus 3 forgery" issue fixed in 0.9.8c and 0.9.7k?

>
> No, look closer, the first one (ASN.1 Denial of Service Attacks [yes,
> plural]), has two advisories, CVE-2006-2937 and CVE-2006-2940.
> Then obviously there is the buffer overflow (CVE-2006-3738) and
> the SSLv2 client crash (CVE-2006-4343).
>
> -Brad
> __________________________________________________ ____________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majordomo@openssl.org
>



--

-Kyle H
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org