On Fri, Nov 19, 2010 at 03:44:15PM +0100, Ralf Hildebrandt wrote:
> I assume postfix is not affected since smtpd is not multi-threaded?
> http://www.openssl.org/news/secadv_20101116.txt
Correct. We also don't have an in-memory SSL session cache in the Postfix
SMTP client. We do have a 1-element internal cache in the server, but
as you noted, no threads.
When you decide to upgrade, the 1.0.0b release had an "oops", you need
to wait for 1.0.0c or apply:
http://cvs.openssl.org/chngview?cn=19998
Index: ssl/t1_lib.c
--- t1_lib.c 2010/11/16 13:26:24 1.64.2.15
+++ t1_lib.c 2010/11/16 22:41:07 1.64.2.16
@@ -779,8 +779,8 @@
{
if(s->session->tlsext_ecpointformatlist)
{
- *al = TLS1_AD_DECODE_ERROR;
- return 0;
+
OPENSSL_free(s->session->tlsext_ecpointformatlist);
+ s->session->tlsext_ecpointformatlist =
NULL;
}
s->session->tlsext_ecpointformatlist_length = 0;
if ((s->session->tlsext_ecpointformatlist =
OPENSSL_malloc(ecpointformatlist_length)) == NULL)
The remaining changes slated for 1.0.0c are compile environment
portability fixes for some platforms where elimination of no longer
used variables left some code that won't compile.
Clearly the variable cleanup, which did not fix any bugs, should not
have gone into 1.0.0b (the stable release) that's what 1.0.1 is for.
--
Viktor.
