OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052027.html
http://lists.fedoraproject.org/pipermail/package-announce/2010-December/052315.html
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
http://marc.info/?l=bugtraq&m=129916880600544&w=2
http://marc.info/?l=bugtraq&m=130497251507577&w=2
http://marc.info/?l=bugtraq&m=132077688910227&w=2
http://openssl.org/news/secadv_20101202.txt
https://bugzilla.redhat.com/show_bug.cgi?id=659462
http://secunia.com/advisories/42469
http://secunia.com/advisories/42473
http://secunia.com/advisories/42493
http://secunia.com/advisories/42571
http://secunia.com/advisories/42620
http://secunia.com/advisories/42811
http://secunia.com/advisories/42877
http://secunia.com/advisories/43169
http://secunia.com/advisories/43170
http://secunia.com/advisories/43171
http://secunia.com/advisories/43172
http://secunia.com/advisories/43173
http://secunia.com/advisories/44269
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18910
http://support.apple.com/kb/HT4723
http://ubuntu.com/usn/usn-1029-1
http://www.debian.org/security/2011/dsa-2141
http://www.kb.cert.org/vuls/id/737740
http://www.mandriva.com/security/advisories?name=MDVSA-2010:248
http://www.redhat.com/support/errata/RHSA-2010-0977.html
http://www.redhat.com/support/errata/RHSA-2010-0978.html
http://www.redhat.com/support/errata/RHSA-2010-0979.html
http://www.redhat.com/support/errata/RHSA-2011-0896.html
http://www.vupen.com/english/advisories/2010/3120
http://www.vupen.com/english/advisories/2010/3122
http://www.vupen.com/english/advisories/2010/3134
http://www.vupen.com/english/advisories/2010/3188
http://www.vupen.com/english/advisories/2011/0032