OpenSSL Security Advisory [24 March 2010] "Record of death" vulnerability in OpenSSL 0.9.8f through 0.9.8m ================================================================
In TLS connections, certain incorrectly formatted records can cause an OpenSSL client or server to crash due to a read attempt at NULL. Affected versions depend on the C compiler used with OpenSSL: - If 'short' is a 16-bit integer, this issue applies only to OpenSSL 0.9.8m. - Otherwise, this issue applies to OpenSSL 0.9.8f through 0.9.8m. Users of OpenSSL should update to the OpenSSL 0.9.8n release, which contains a patch to correct this issue. If upgrading is not immediately possible, the source code patch provided in this advisory should be applied. Note: There are other security concerns with the currently implementation of OpenSSL on OSOL2008.05-2010.02 so this is just one of them for a future dev release. I think Sun Studio is used to compile OpenSSL so just needs review by security team. ~ Ken Mays -- This message posted from opensolaris.org _______________________________________________ indiana-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
