On 04/ 1/10 08:04 PM, Ken Mays wrote:
OpenSSL Security Advisory [24 March 2010]
"Record of death" vulnerability in OpenSSL 0.9.8f through 0.9.8m
================================================================
In TLS connections, certain incorrectly formatted records can cause
an OpenSSL client or server to crash due to a read attempt at NULL.
Affected versions depend on the C compiler used with OpenSSL:
- If 'short' is a 16-bit integer, this issue applies only to OpenSSL
0.9.8m. - Otherwise, this issue applies to OpenSSL 0.9.8f through
0.9.8m.
Users of OpenSSL should update to the OpenSSL 0.9.8n release, which
contains a patch to correct this issue. If upgrading is not
immediately possible, the source code patch provided in this advisory
should be applied.
Note: There are other security concerns with the currently
implementation of OpenSSL on OSOL2008.05-2010.02 so this is just one
of them for a future dev release. I think Sun Studio is used to
compile OpenSSL so just needs review by security team.
The OpenSSL team is fully aware of these issues. If you want to see the
latest changes in the SFW consolidation they are available here:
http://dlc.sun.com/osol/sfw/downloads/current/BUGS
OpenSSL lives in the SFW consolidation.
-M
_______________________________________________
indiana-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/indiana-discuss
