George Guninski reported [1] a double-free flaw in openssl's client implementation that could lead to a crash when ECDH is used. It was reported against 1.0.0a but the code being patched [2] to correct the flaw has also been identified in 0.9.8 [3]. [1] http://marc.info/?l=openssl-dev&m=128118163216952&w=2 [2] http://marc.info/?l=openssl-dev&m=128128256314328&w=2 [3] http://article.gmane.org/gmane.comp.security.oss.general/3298
I'm not 100% sure of the impact here as it looks like it might just be in the openssl client. I don't know if this code is used by other clients linked to the openssl libraries or not, so at this point cannot say if other applications are impacted by this.
Except this code is not compiled in on our openssl - no ECC support there.
ECC or ECDH? So where this problem falls, we don't compile that support into any version of openssl we provide?
Yes, it's in #ifndef OPENSSL_NO_ECDH. And the ECDH is not even in the source tarball due to patent concerns with ECC.
Statement: This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5 as they did not include support for ECDH.