logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> News & Hangout View previous topic :: View next topic
Reply to topic   Topic: OpenSSL 0.9.8k upgrade for Apache 2.2.x is available
Author
Steffen
Moderator


Joined: 15 Oct 2005
Posts: 3094
Location: Hilversum, NL, EU

PostPosted: Wed 25 Mar '09 21:16    Post subject: OpenSSL 0.9.8k upgrade for Apache 2.2.x is available Reply with quote

OpenSSL 0.9.8k has been released, it is as upgrade available at the download page www.apachelounge.com/download/

Three moderate severity security flaws have been fixed in OpenSSL 0.9.8k, see http://openssl.org/news/secadv_20090325.txt



Steffen

Changes between 0.9.8j and 0.9.8k


    *) Don't set val to NULL when freeing up structures, it is freed up by
    underlying code. If sizeof(void *) > sizeof(long) this can result in
    zeroing past the valid field. (CVE-2009-0789)
    [Paolo Ganci ]

    *) Fix bug where return value of CMS_SignerInfo_verify_content() was not
    checked correctly. This would allow some invalid signed attributes to
    appear to verify correctly. (CVE-2009-0591)
    [Ivan Nestlerode ]

    *) Reject UniversalString and BMPString types with invalid lengths. This
    prevents a crash in ASN1_STRING_print_ex() which assumes the strings have
    a legal length. (CVE-2009-0590)
    [Steve Henson]

    *) Set S/MIME signing as the default purpose rather than setting it
    unconditionally. This allows applications to override it at the store
    level.
    [Steve Henson]

    *) Permit restricted recursion of ASN1 strings. This is needed in practice
    to handle some structures.
    [Steve Henson]

    *) Improve efficiency of mem_gets: don't search whole buffer each time
    for a '\n'
    [Jeremy Shapiro]

    *) New -hex option for openssl rand.
    [Matthieu Herrb]

    *) Print out UTF8String and NumericString when parsing ASN1.
    [Steve Henson]

    *) Support NumericString type for name components.
    [Steve Henson]

    *) Allow CC in the environment to override the automatically chosen
    compiler. Note that nothing is done to ensure flags work with the
    chosen compiler.
    [Ben Laurie]
Back to top


Reply to topic   Topic: OpenSSL 0.9.8k upgrade for Apache 2.2.x is available View previous topic :: View next topic
Post new topic   Forum Index -> News & Hangout