[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

(fwd) OpenSSL-0.9.6a has security fixes

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx, linux-india-help@xxxxxxxxxxxxxxxxxxxxx
Subject: (fwd) OpenSSL-0.9.6a has security fixes
From: Raju Mathur <raju@xxxxxxxxxxxxxxx>
Date: Thu, 26 Apr 2001 07:46:34 +0530 (IST)
Reply-to: raju@xxxxxxxxxxxxxxx

[Time to upgrade if you're an OpenSSL (ssh, secure IMAP, etc) user, or
wait until your distribution maker comes up with packages-- Raju]

This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------

Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
              protocol="application/pgp-signature"; boundary="0IvGJv3f9h+YhkrH"
Content-Disposition: inline
Return-Path: <BUGTRAQ@xxxxxxxxxxxxxxxxx>
Approved-By: aleph1@xxxxxxxxxxxxxxxxx
Delivered-To: bugtraq@xxxxxxxxxxxxxxxxxxxxxxx
Mail-Followup-To: BugTraq <bugtraq@xxxxxxxxxxxxxxxxx>
User-Agent: Mutt/1.2.5i
Message-ID:  <20010424154007.D9092@xxxxxxxxxxxxxxxxxxxxxx>
Reply-To: Jim Knoble <jmknoble@xxxxxxxxxxx>
Organization: LiquidMeme
From: Jim Knoble <jmknoble@xxxxxxxxxxx>
Sender: Bugtraq List <BUGTRAQ@xxxxxxxxxxxxxxxxx>
To: BUGTRAQ@xxxxxxxxxxxxxxxxx
Subject:      OpenSSL-0.9.6a has security fixes
Date:         Tue, 24 Apr 2001 15:40:07 -0400

--0IvGJv3f9h+YhkrH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

This doesn't seem to have been announced here: OpenSSL-0.9.6a appears
to have been released somewhat quietly, and also appears to include
several security fixes:

  - Security fix: change behavior of OpenSSL to avoid using environment
    variables when running as root.
 =20
  - Security fix: check the result of RSA-CRT to reduce the possibility
    of deducing the private key from an incorrectly calculated signature.
 =20
  - Security fix: prevent Bleichenbacher's DSA attack.=20
 =20
  - Security fix: Zero the premaster secret after deriving the master
    secret in DH ciphersuites.

Also:

  We consider OpenSSL 0.9.6a to be the best version of OpenSSL
  available and we strongly recommend that users of older versions,
  especially of old SSLeay versions, upgrade as soon as possible.

Complete text of the announcement available at:

  http://www.openssl.org/news/announce.html

--=20
jim knoble | jmknoble@xxxxxxxxxxx | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)

--0IvGJv3f9h+YhkrH
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (Linux)
Comment: finger jmknoble@xxxxxxxxx for GnuPG public key

iEYEARECAAYFAjrl1pcACgkQKJ/qqBOBFJEH1ACbBbQ81tGoDFmrKBppuy8+w9+E
lDoAnjqKwG/KsK6Z4uT/V3iNARN2cX68
=tL7t
-----END PGP SIGNATURE-----

--0IvGJv3f9h+YhkrH--

------------------------------

End of this Digest
******************

-- 
Raju Mathur          raju@xxxxxxxxxxxxx           http://kandalaya.org/

Prev by Subject: (fwd) FreeBSD Security Advisory FreeBSD-SA-01:37.slrn
Next by Subject: (fwd) PROGENY-SA-2001-06: Remote vulnerability in cfingerd
Previous by thread: Re: ASP in linux
Next by thread: RMS visit to Delhi in August
Index(es):
- Subject
- Thread