[Pkg-openssl-devel] Bug#483379: openssl: CVE-2008-1672, CVE-2008-0891 multiple security issues
Christoph Martin
martin at uni-mainz.de
Wed May 28 17:03:43 UTC 2008
Nico Golde schrieb:
> Hi Christoph,
> * Christoph Martin <martin at uni-mainz.de> [2008-05-28 17:13]:
>> Nico Golde schrieb:
>>> Package: openssl
>>> Version: 0.9.8f-1
>>> Severity: grave
>>> Tags: security
> [...]
>>> | Testing using the Codenomicon TLS test suite discovered a flaw in the
>>> | handling of server name extension data in OpenSSL 0.9.8f and OpenSSL
>>> | 0.9.8g. If OpenSSL has been compiled using the non-default TLS server
>>> | name extensions, a remote attacker could send a carefully crafted
>>> | packet to a server application using OpenSSL and cause a crash.
>> This one does not affect the current Debian version, since it is not
>> compiled with the tlsext option.
>
> Did you miss:
> CONFARGS = --prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib enable-tlsext
> ^^^^^^^^^^^^
Sorry. You are right. I stand corrected.
--
============================================================================
Christoph Martin, Leiter der EDV der Verwaltung, Uni-Mainz, Germany
Internet-Mail: Christoph.Martin at Verwaltung.Uni-Mainz.DE
Telefon: +49-6131-3926337
Fax: +49-6131-3922856
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20080528/60930125/attachment-0001.pgp
More information about the Pkg-openssl-devel
mailing list