[arch-dev-public] [signoff] openssl 0.9.8n-1

Pierre Schmitz pierre at archlinux.de
Wed Mar 24 15:35:51 CET 2010

This is mainly a security update, so please sign off soon. See 

The complete changelog:

 Changes between 0.9.8m and 0.9.8n [24 Mar 2010]

  *) When rejecting SSL/TLS records due to an incorrect version number, never
     update s->server with a new major version number.  As of
     - OpenSSL 0.9.8m if 'short' is a 16-bit type,
     - OpenSSL 0.9.8f if 'short' is longer than 16 bits,
     the previous behavior could result in a read attempt at NULL when
     receiving specific incorrect SSL/TLS records once record payload
     protection is active.  (CVE-2010-0740)
     [Bodo Moeller, Adam Langley <agl at chromium.org>]

  *) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL 
     could be crashed if the relevant tables were not present (e.g. chrooted).
     [Tomas Hoger <thoger at redhat.com>]


Pierre Schmitz, https://users.archlinux.de/~pierre

More information about the arch-dev-public mailing list