Package name
openssl
Date
2008-05-28
Advisory ID
MDVSA-2008:107
Affected versions
2008.1 x86_64 , 2008.1 i586

Problem description

Testing using the Codenomicon TLS test suite discovered a flaw in
the handling of server name extension data in OpenSSL 0.9.8f and
OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default
TLS server name extensions, a remote attacker could send a carefully
crafted packet to a server application using OpenSSL and cause a
crash. (CVE-2008-0891)

Testing using the Codenomicon TLS test suite discovered a flaw if
the 'Server Key exchange message' is omitted from a TLS handshake
in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
malicious server with particular cipher suites, the server could
cause the client to crash. (CVE-2008-1672)

The updated packages have been patched to fix these flaws.

Note that any applications using this library must be restarted for
the update to take effect.

Updated packages

2008.1 x86_64

 e647498bde13d7baebff21a595a7235f  2008.1/x86_64/lib64openssl0.9.8-0.9.8g-4.1mdv2008.1.x86_64.rpm
 1afca1fc4741b583413ba74b42617414  2008.1/x86_64/lib64openssl0.9.8-devel-0.9.8g-4.1mdv2008.1.x86_64.rpm
 2a9eb1a4d9785234ab7ea71f74835009  2008.1/x86_64/lib64openssl0.9.8-static-devel-0.9.8g-4.1mdv2008.1.x86_64.rpm
 d9d185ea96fcfa64b11b5318fbdff0e2  2008.1/x86_64/openssl-0.9.8g-4.1mdv2008.1.x86_64.rpm 
 0081f3e2bd9e38ffa4c27e87e8d2c8ba  2008.1/SRPMS/openssl-0.9.8g-4.1mdv2008.0.src.rpm

2008.1 i586

 c89ce51d88565b5e01984d02f9d52be2  2008.1/i586/libopenssl0.9.8-0.9.8g-4.1mdv2008.1.i586.rpm
 1e1855ac131d2f1d7fe185a972d6cf7e  2008.1/i586/libopenssl0.9.8-devel-0.9.8g-4.1mdv2008.1.i586.rpm
 abda43307f35316915bf8fab630b5aa4  2008.1/i586/libopenssl0.9.8-static-devel-0.9.8g-4.1mdv2008.1.i586.rpm
 ad370f030884f7e81eee21ad8ea14b9f  2008.1/i586/openssl-0.9.8g-4.1mdv2008.1.i586.rpm 
 0081f3e2bd9e38ffa4c27e87e8d2c8ba  2008.1/SRPMS/openssl-0.9.8g-4.1mdv2008.0.src.rpm

References