tech-security: OpenSSL CVE-2007-4995 in netbsd-3

Subject: OpenSSL CVE-2007-4995 in netbsd-3
To: None <tech-security@netbsd.org>
From: Brian A. Seklecki <lavalamp@spiritual-machines.org>
List: tech-security
Date: 11/27/2007 11:34:47

I don't see a pullup in the changelog for -rnetbsd-3:

http://cvsweb.netbsd.org/bsdweb.cgi/src/crypto/dist/openssl/ssl/ssl_lib.c

According to:

http://arkiv.netbsd.se/?ml=openssl-announce&a=2007-10&m=5433522

"Versions Affected
 ------------------

 All releases of 0.9.8 prior to 0.9.8f. All releases of 0.9.7 prior to
 0.9.7m.
"


3-stable seems to have:

$ openssl version
OpenSSL 0.9.7d 17 Mar 2004

We should patch it.  I'm looking into it now.

~BAS