CERT/FI identified following issue affecting OpenSSL:
Testing using the Codenomicon TLS test suite discovered a flaw in the
handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
0.9.8g. If OpenSSL has been compiled using the non-default TLS server
name extensions, a remote attacker could send a carefully crafted
packet to a server application using OpenSSL and cause a crash.
Please note this issue does not affect any other released versions of
OpenSSL, and does not affect versions compiled without TLS server name
Created attachment 306750 [details]
This issue does not affect openssl packages as shipped in Red Hat Enterprise
Linux 2.1, 3, 4 and 5, and Fedora 7 and 8. Only upstream versions 0.9.8f and
0.9.8g were affected, currently only shipped in Fedora 9 and Rawhide.
Public now, lifting embargo:
openssl-0.9.8g-9.fc9 has been submitted as an update for Fedora 9
openssl-0.9.8g-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: