| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 May 2008 03:43:22 -0700 (PDT)
From: Mark J Cox <mark@....com>
To: full-disclosure@...ts.grok.org.uk
Subject: OpenSSL 0.9.8h released
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
OpenSSL version 0.9.8h released
===============================
OpenSSL - The Open Source toolkit for SSL/TLS
http://www.openssl.org/
The OpenSSL project team is pleased to announce the release of
version 0.9.8h of our open source toolkit for SSL/TLS. This new
OpenSSL version is a security and bugfix release. For a complete
list of changes, please see
http://cvs.openssl.org/getfile/openssl/CHANGES?v=1.1238.2.104
Two moderate severity security flaws have been fixed in OpenSSL
0.9.8h. The OpenSSL security team would like to thank Codenomicon
for reporting these issues:
OpenSSL Server Name extension crash
-----------------------------------
Testing using the Codenomicon TLS test suite discovered a flaw in
the handling of server name extension data in OpenSSL 0.9.8f and
OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default
TLS server name extensions, a remote attacker could send a
carefully crafted packet to a server application using OpenSSL and
cause it to crash. (CVE-2008-0891).
Please note this issue does not affect any other released versions
of OpenSSL, and does not affect versions compiled without TLS
server name extensions.
OpenSSL Omit Server Key Exchange message crash
----------------------------------------------
Testing using the Codenomicon TLS test suite discovered a flaw if
the 'Server Key exchange message' is omitted from a TLS handshake
in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
malicious server with particular cipher suites, the server could
cause the client to crash. (CVE-2008-1672).
Please note this issue does not affect any other released versions
of OpenSSL.
Users of OpenSSL 0.9.8f or 0.9.8g should update to the OpenSSL
0.9.8h release which contains patches to correct these issues.
We consider OpenSSL 0.9.8h to be the best version of OpenSSL
available and we strongly recommend that users of older versions
upgrade as soon as possible. OpenSSL 0.9.8h is available for
download via HTTP and FTP from the following master locations (you
can find the various FTP mirrors under
http://www.openssl.org/source/mirror.html):
* http://www.openssl.org/source/
* ftp://ftp.openssl.org/source/
The distribution file name is:
o openssl-0.9.8h.tar.gz
Size: 3439981
MD5 checksum: 7d3d41dafc76cf2fcb5559963b5783b3
SHA1 checksum: ced4f2da24a202e01ea22bef30ebc8aee274de86
The checksums were calculated using the following commands:
openssl md5 openssl-0.9.*.tar.gz
openssl sha1 openssl-0.9.*.tar.gz
Yours,
The OpenSSL Project Team...
Mark J. Cox Nils Larsch Ulf Möller
Ralf S. Engelschall Ben Laurie Andy Polyakov
Dr. Stephen Henson Richard Levitte Geoff Thorpe
Lutz Jänicke Bodo Möller
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQCVAwUBSD0zDu6tTP1JpWPZAQLsDQP/VSBPNnqGy0i+QW/hsU8n+9A1o6DKZISA
ctQRYMbsZg4VyQOvdJg++LXI8VJyXJCzfHwtoYPSGaaOq/H4S8Z7DmK6zHW7cpi0
zSAIPaI3XA5lxzrbhADxpuDVVVUkGJA+dxsUpLV1V+lKbrRfZhzBwXyV8jAqdlsE
b2DlMZ8v+lg=
=0T9U
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists