CVE-1999-0428

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-1999-0428

Chris Rhoads

Hi openssl-users,


I am researching the known vulnerabilities of open source software that we are considering.  According to the NIST NVD web site, the 1.1.1d version of OpenSSL has a few known vulnerabilities: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aopenssl&cpe_product=cpe%3A%2F%3A%3Aopenssl&cpe_version=cpe%3A%2F%3Aopenssl%3Aopenssl%3A1.1.1d


It appears most of the vulnerabilities that are listed by NIST can be dismissed since the security vulnerability was actually in an application that uses OpenSSL instead of being in OpenSSL itself.


But I've been unable to determine with certainty how the last vulnerability on this list (CVE-1999-0428) was fixed.  In my research, I've found a potential OpenSSL update in release 0.9.2b that may have addressed the vulnerability: https://seclists.org/bugtraq/1999/Mar/144.  But this security alert message doesn't reference any CVE number.


The OpenSSL Vulnerabilities web page (https://www.openssl.org/news/vulnerabilities.html) doesn't go back to 1999, so it doesn't provide any information regarding this vulnerability.


Can anyone point me to OpenSSL documentation that indicates CVE-1999-0428 was fixed?  Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: CVE-1999-0428

Quanah Gibson-Mount


--On Tuesday, March 3, 2020 5:16 PM -0500 Chris Rhoads
<[hidden email]> wrote:

> But I've been unable to determine with certainty how the last
> vulnerability on this list (CVE-1999-0428) was fixed.  In my research,
> I've found a potential OpenSSL update in release 0.9.2b that may have
> addressed the vulnerability: https://seclists.org/bugtraq/1999/Mar/144
> But this security alert message doesn't reference any CVE number.

The above email is related to this commit in the OpenSSL source tree:

b4cadc6e1343c01b06613053a90ed2ee85e65090

Since it pre-dates the CVE being filed, it has no reference to the CVE
itself in the commit.  Someone from the OpenSSL project would have to
confirm if that is indeed the fix for the above CVE (and if so, then the
CVE database needs updating).

Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>