CERT/FI identified following issue affecting OpenSSL: Testing using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause a crash. (CVE-2008-0891). Please note this issue does not affect any other released versions of OpenSSL, and does not affect versions compiled without TLS server name extensions.
Created attachment 306750 [details] Upstream patch
This issue does not affect openssl packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 7 and 8. Only upstream versions 0.9.8f and 0.9.8g were affected, currently only shipped in Fedora 9 and Rawhide.
Public now, lifting embargo: http://openssl.org/news/secadv_20080528.txt
CERT-FI advisory: https://www.cert.fi/haavoittuvuudet/2008/advisory-openssl.html
openssl-0.9.8g-9.fc9 has been submitted as an update for Fedora 9
openssl-0.9.8g-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4723