Message 152180 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	giampaolo.rodola, janssen, nadeem.vawda, pitrou
Date	2012-01-28.18:55:07
SpamBayes Score	0.00018200334
Marked as misclassified	No
Message-id	<1327776911.98.0.548900592748.issue13898@psf.upfronthosting.co.za>
In-reply-to

Content
The changelog between 1.0.0d and 1.0.0e doesn't seem to list anything which could affect this test: ) Fix bug where CRLs with nextUpdate in the past are sometimes accepted by initialising X509_STORE_CTX properly. (CVE-2011-3207) [Kaspar Brand <ossl@velox.ch>] ) Fix SSL memory handling for (EC)DH ciphersuites, in particular for multi-threaded use of ECDH. (CVE-2011-3210) [Adam Langley (Google)] ) Fix x509_name_ex_d2i memory leak on bad inputs. [Bodo Moeller] ) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check signature public key algorithm by using OID xref utilities instead. Before this you could only use some ECC ciphersuites with SHA1 only. [Steve Henson] *) Add protection against ECDSA timing attacks as mentioned in the paper by Billy Bob Brumley and Nicola Tuveri, see: http://eprint.iacr.org/2011/232.pdf (from http://www.openssl.org/news/changelog.html)

The changelog between 1.0.0d and 1.0.0e doesn't seem to list anything which could affect this test:

  *) Fix bug where CRLs with nextUpdate in the past are sometimes accepted
     by initialising X509_STORE_CTX properly. (CVE-2011-3207)
     [Kaspar Brand <ossl@velox.ch>]

  *) Fix SSL memory handling for (EC)DH ciphersuites, in particular
     for multi-threaded use of ECDH. (CVE-2011-3210)
     [Adam Langley (Google)]

  *) Fix x509_name_ex_d2i memory leak on bad inputs.
     [Bodo Moeller]

  *) Remove hard coded ecdsaWithSHA1 signature tests in ssl code and check
     signature public key algorithm by using OID xref utilities instead.
     Before this you could only use some ECC ciphersuites with SHA1 only.
     [Steve Henson]

  *) Add protection against ECDSA timing attacks as mentioned in the paper
     by Billy Bob Brumley and Nicola Tuveri, see:

	http://eprint.iacr.org/2011/232.pdf

(from http://www.openssl.org/news/changelog.html)

History
Date	User	Action	Args
2012-01-28 18:55:12	pitrou	set	recipients: + pitrou, janssen, giampaolo.rodola, nadeem.vawda
2012-01-28 18:55:11	pitrou	set	messageid: <1327776911.98.0.548900592748.issue13898@psf.upfronthosting.co.za>
2012-01-28 18:55:08	pitrou	link	issue13898 messages
2012-01-28 18:55:07	pitrou	create