CERT/FI identified following issue affecting OpenSSL: Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672). Please note this issue does not affect any other released versions of OpenSSL.
Created attachment 306751 [details] Upstream patch
This issue does not affect openssl packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 7 and 8. Only upstream versions 0.9.8f and 0.9.8g were affected, currently only shipped in Fedora 9 and Rawhide.
Public now, lifting embargo: http://openssl.org/news/secadv_20080528.txt
CERT-FI advisory: https://www.cert.fi/haavoittuvuudet/2008/advisory-openssl.html
openssl-0.9.8g-9.fc9 has been submitted as an update for Fedora 9
openssl-0.9.8g-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4723