Red Hat Bugzilla – Bug 448495
CVE-2008-1672 openssl: Omit Server Key Exchange message crash
Last modified: 2009-10-23 05:49:44 EDT
CERT/FI identified following issue affecting OpenSSL:
Testing using the Codenomicon TLS test suite discovered a flaw if the
'Server Key exchange message' is omitted from a TLS handshake in
OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
malicious server with particular cipher suites, the server could cause
the client to crash. (CVE-2008-1672).
Please note this issue does not affect any other released versions of
Created attachment 306751 [details]
This issue does not affect openssl packages as shipped in Red Hat Enterprise
Linux 2.1, 3, 4 and 5, and Fedora 7 and 8. Only upstream versions 0.9.8f and
0.9.8g were affected, currently only shipped in Fedora 9 and Rawhide.
Public now, lifting embargo:
openssl-0.9.8g-9.fc9 has been submitted as an update for Fedora 9
openssl-0.9.8g-9.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: