[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSL CVE-2016-2177, CVE-2016-2178

From: Leo Famulari
Subject: Re: OpenSSL CVE-2016-2177, CVE-2016-2178
Date: Mon, 13 Jun 2016 16:27:59 -0400
User-agent: Mutt/1.6.0 (2016-04-01)

On Sun, Jun 12, 2016 at 10:49:23PM +0200, Ludovic Courtès wrote:
> Leo Famulari <address@hidden> skribis:
> > CVE-2016-2177
> >
> >
> > CVE-2016-2178
> >
> >
> > Should we try cherry-picking the upstream commits from the OpenSSL
> > development repo?
> Sounds like it.  Could you look into it?

I've attached my patch.

According to OpenSSL's security policy [0], they seem to consider these
bugs to be "LOW severity", since they did not keep them private or issue
a new release, or even an advisory [1].

There is also some discussion of the severity in this thread:

So, perhaps it's not worth the risk of cherry-picking these commits out
of context, at least not without asking the upstream maintainers.




Attachment: 0001-gnu-openssl-Fix-CVE-2016-2177-and-CVE-2016-2178.patch
Description: Text Data

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]