MDVSA-2008:107
- Package name
- openssl
- Date
- 2008-05-28
- Advisory ID
- MDVSA-2008:107
- Affected versions
- 2008.1 x86_64 , 2008.1 i586
Problem description
Testing using the Codenomicon TLS test suite discovered a flaw in
the handling of server name extension data in OpenSSL 0.9.8f and
OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default
TLS server name extensions, a remote attacker could send a carefully
crafted packet to a server application using OpenSSL and cause a
crash. (CVE-2008-0891)
Testing using the Codenomicon TLS test suite discovered a flaw if
the 'Server Key exchange message' is omitted from a TLS handshake
in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
malicious server with particular cipher suites, the server could
cause the client to crash. (CVE-2008-1672)
The updated packages have been patched to fix these flaws.
Note that any applications using this library must be restarted for
the update to take effect.
Updated packages
2008.1 x86_64
e647498bde13d7baebff21a595a7235f 2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.1mdv2008.1.x86_64.rpm 1afca1fc4741b583413ba74b42617414 2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.1mdv2008.1.x86_64.rpm 2a9eb1a4d9785234ab7ea71f74835009 2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.1mdv2008.1.x86_64.rpm d9d185ea96fcfa64b11b5318fbdff0e2 2008.1/x86_64/openssl-0.9.8g-4.1mdv2008.1.x86_64.rpm 0081f3e2bd9e38ffa4c27e87e8d2c8ba 2008.1/SRPMS/openssl-0.9.8g-4.1mdv2008.0.src.rpm
2008.1 i586
c89ce51d88565b5e01984d02f9d52be2 2008.1/i586/libopenssl0.9.8-0.9.8g-4.1mdv2008.1.i586.rpm 1e1855ac131d2f1d7fe185a972d6cf7e 2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.1mdv2008.1.i586.rpm abda43307f35316915bf8fab630b5aa4 2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.1mdv2008.1.i586.rpm ad370f030884f7e81eee21ad8ea14b9f 2008.1/i586/openssl-0.9.8g-4.1mdv2008.1.i586.rpm 0081f3e2bd9e38ffa4c27e87e8d2c8ba 2008.1/SRPMS/openssl-0.9.8g-4.1mdv2008.0.src.rpm