Hi Niko, Nico Golde schrieb: > Package: openssl > Version: 0.9.8f-1 > Severity: grave > Tags: security > > Hi, > the following CVE (Common Vulnerabilities & Exposures) ids were > published for openssl. > > CVE-2008-0891[0]: > | OpenSSL Server Name extension crash > | > | Testing using the Codenomicon TLS test suite discovered a flaw in the > | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL > | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server > | name extensions, a remote attacker could send a carefully crafted > | packet to a server application using OpenSSL and cause a crash.
This one does not affect the current Debian version, since it is not
compiled with the tlsext option.
>
> CVE-2008-1672[1]:
> | OpenSSL Omit Server Key Exchange message crash
> |
> | Testing using the Codenomicon TLS test suite discovered a flaw if the
> | 'Server Key exchange message' is omitted from a TLS handshake in
> | OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a
> | malicious server with particular cipher suites, the server could cause
> | the client to crash.
>
Christoph
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: [EMAIL PROTECTED]
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
signature.asc
Description: OpenPGP digital signature
