Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
src/socket.c: Fix OpenSSL versions for OpenSSL-version-dependent impl… #202
I today looked into CVE-2016-10937 with regards to fixing the issue in Debian jessie (v8) LTS.
The hostname validation fixes you already committed use wrong OpenSSL version numbers in the #ifdef blocks introduced in src/socket.c.
The upper code block is for OpenSSL 1.1.0 (should be 10100000L), the lower block is for OpenSSL 1.0.2 (should be 10002000L). Please check that by looking at OpenSSL's crypto/opensslv.h file.
Furthermore, I came up with quite a complex patch for introducing pre-OpenSSL-1.0.2 (i.e. OpenSSL 1.0.1 and earlier) hostname validation. I attach that patch to this comment.
@sunweaver @lefcha shouldn't this branch completely fail, with