Topic: OpenSSL 0.9.8n upgrade for Apache 2.2.x is available

[Steffen]

OpenSSL 0.9.8n has been released, it is as upgrade available at the download page www.apachelounge.com/download/

Security flaws have been fixed in OpenSSL 0.9.8n and have build it with the newest nasm.

Steffen

Changes between 0.9.8n and 0.9.8m

*) When rejecting SSL/TLS records due to an incorrect version number, never
update s->server with a new major version number. As of
- OpenSSL 0.9.8m if 'short' is a 16-bit type,
- OpenSSL 0.9.8f if 'short' is longer than 16 bits,
the previous behavior could result in a read attempt at NULL when
receiving specific incorrect SSL/TLS records once record payload
protection is active. (CVE-2010-0740)
[Bodo Moeller, Adam Langley <agl@chromium.org>]

*) Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL
could be crashed if the relevant tables were not present (e.g. chrooted).
[Tomas Hoger <thoger@redhat.com>]

[James Blond]

Hi Steffen,
can you please build 0.9.8o please?

Did you have experience with 1.0.0 ?

[admin]

Yep, planned coming weekend.

No experience yet with 1.0.0.

Steffen

[glsmith]

I've been using 1.0.0 for at least a month with no problems seen. Since moving to 1.0.0 I have not had the server serve up the default cert for a SNI host either. I still have not figured out if that is a browser, Apache or OpenSSL problem yet nor do I expect I ever will.