Topic: OpenSSL 0.9.8j upgrade for Apache is available

[admin]

OpenSSL 0.9.8j has been released, it is as upgrade available at the download page www.apachelounge.com/download/

A security issue is solved, see http://openssl.org/news/secadv_20090107.txt

Enjoy,

Steffen


Changes between 0.9.8i and 0.9.8j

*) Properly check EVP_VerifyFinal() and similar return values (CVE-2008-5077).
[Ben Laurie, Bodo Moeller, Google Security Team]

*) Enable TLS extensions by default.
[Ben Laurie]

*) Allow the CHIL engine to be loaded, whether the application is
multithreaded or not. (This does not release the developer from the
obligation to set up the dynamic locking callbacks.)
[Sander Temme <sander@temme.net>]

*) Use correct exit code if there is an error in dgst command.
[Steve Henson; problem pointed out by Roland Dirlewanger]

*) Tweak Configure so that you need to say "experimental-jpake" to enable
JPAKE, and need to use -DOPENSSL_EXPERIMENTAL_JPAKE in applications.
[Bodo Moeller]

*) Add experimental JPAKE support, including demo authentication in
s_client and s_server.
[Ben Laurie]

*) Set the comparison function in v3_addr_canonize().
[Rob Austein <sra@hactrn.net>]

*) Add support for XMPP STARTTLS in s_client.
[Philip Paeps <philip@freebsd.org>]

*) Change the server-side SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG behavior
to ensure that even with this option, only ciphersuites in the
server's preference list will be accepted. (Note that the option
applies only when resuming a session, so the earlier behavior was
just about the algorithm choice for symmetric cryptography.)
[Bodo Moeller]