Re: [edk2] Use of d2i_*_bio functions from OpenSSL

Subject: Re: [edk2] Use of d2i_*_bio functions from OpenSSL

From: Florian Weimer <fweimer@redhat.com>

To: edk2-devel@lists.sourceforge.net

Date: 2012-10-25 17:37:03

On 10/25/2012 04:37 AM, Long, Qin wrote:

> Thank you for this suggestion. Could you help to provide more information about this stability comparison (d2i_*_bio vs d2i_*) for our evaluation?

To my knowledge, this is not documented anywhere.  This is based on 
feedback I received when I reported issues in the *_bio functions to the 
OpenSSL developers.  (I no longer have access to these communications, 
I'm afraid.)

> We ever noticed one security vulnerability issue in OpenSSL ASN1 BIO (http://www.openssl.org/news/secadv_20120419.txt), and that's why EDKII OpenSSL version was updated to 0.9.8w.

You would have avoided this vulnerability if you've used the other 
functions. 8-)

-- 
Florian Weimer / Red Hat Product Security Team

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________
edk2-devel mailing list
edk2-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/edk2-devel