Mandriva Linux Security Advisory : openssl (MDVSA-2008:107)
Medium Nessus Plugin ID 37882
SynopsisThe remote Mandriva Linux host is missing one or more security updates.
DescriptionTesting using the Codenomicon TLS test suite discovered a flaw in the handling of server name extension data in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If OpenSSL has been compiled using the non-default TLS server name extensions, a remote attacker could send a carefully crafted packet to a server application using OpenSSL and cause a crash.
Testing using the Codenomicon TLS test suite discovered a flaw if the 'Server Key exchange message' is omitted from a TLS handshake in OpenSSL 0.9.8f and OpenSSL 0.9.8g. If a client connects to a malicious server with particular cipher suites, the server could cause the client to crash. (CVE-2008-1672)
The updated packages have been patched to fix these flaws.
Note that any applications using this library must be restarted for the update to take effect.
SolutionUpdate the affected packages.