Red Hat Bugzilla – Bug 138365
CAN-2004-0081 missing from OpenSSL096b compatbility package
Last modified: 2007-11-30 17:10:53 EST
OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message
types, which allows remote attackers to cause a denial of service
(infinite loop), as demonstrated using the Codenomicon TLS Test Tool.
During an audit of FC3 security issues, the Red Hat security team
discovered that the fix for CAN-2004-0081 is missing from OpenSSL096b.
This does not present a large risk due to the use of this
Fixed in openssl096b-0.9.6b-20 and -21 for FC2/FC3.