Fw: OpenSSL-0.9.6a has security fixes

Jan Stifter j.stifter at medres.ch
Wed Apr 25 12:08:12 PDT 2001


this should make it into the lfs-hint and in all your systems...
cheers jan

On Tue, 24 Apr 2001 15:40:07 -0400, Jim Knoble <jmknoble at JMKNOBLE.CX>
wrote:

>This doesn't seem to have been announced here: OpenSSL-0.9.6a appears
>to have been released somewhat quietly, and also appears to include
>several security fixes:
>
>  - Security fix: change behavior of OpenSSL to avoid using environment
>    variables when running as root.
>  
>  - Security fix: check the result of RSA-CRT to reduce the possibility
>    of deducing the private key from an incorrectly calculated signature.
>  
>  - Security fix: prevent Bleichenbacher's DSA attack. 
>  
>  - Security fix: Zero the premaster secret after deriving the master
>    secret in DH ciphersuites.
>
>Also:
>
>  We consider OpenSSL 0.9.6a to be the best version of OpenSSL
>  available and we strongly recommend that users of older versions,
>  especially of old SSLeay versions, upgrade as soon as possible.
>
>Complete text of the announcement available at:
>
>  http://www.openssl.org/news/announce.html
>
>-- 
>jim knoble | jmknoble at jmknoble.cx | http://www.jmknoble.cx/
>(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)






More information about the lfs-security mailing list