[arch-dev-public] [signoff] openssl 0.9.8n-1
Pierre Schmitz
pierre at archlinux.de
Wed Mar 24 15:35:51 CET 2010
This is mainly a security update, so please sign off soon. See
http://openssl.org/news/secadv_20100324.txt
The complete changelog:
Changes between 0.9.8m and 0.9.8n [24 Mar 2010]
*) When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl at chromium.org>]
*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger at redhat.com>]
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the arch-dev-public
mailing list