Software-update: OpenSSL 1.0.0c / 0.9.8q

OpenSSL is een bekend beveiligingsprogramma dat encryptiefuncties aanbiedt. Het bevat een implementatie van de tls- en ssl-protocollen, waarmee data versleuteld kan worden verstuurd en ontvangen. Voor meer informatie verwijzen we door naar deze pagina. De ontwikkelaars hebben nieuwe versies uitgebracht met 1.0.0c en 0.9.8q als versieaanduidingen. De bijbehorende lijst met veranderingen sinds de vorige vermelding in de Meuktracker ziet er als volgt uit:

Changes between 1.0.0b and 1.0.0c:

• Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 [Ben Laurie]

Changes between 1.0.0a and 1.0.0b

• Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. CVE-2010-3864
• Fix WIN32 build system to correctly link an ENGINE directory into a DLL. [Steve Henson]

Changes between 0.9.8p and 0.9.8q:

• Disable code workaround for ancient and obsolete Netscape browsers and servers: an attacker can use it in a ciphersuite downgrade attack. Thanks to Martin Rex for discovering this bug. CVE-2010-4180 [Steve Henson]
• Fixed J-PAKE implementation error, originally discovered by Sebastien Martini, further info and confirmation from Stefan Arentz and Feng Hao. Note that this fix is a security fix. CVE-2010-4252 [Ben Laurie]

Changes between 0.9.8o and 0.9.8p:

• Fix extension code to avoid race conditions which can result in a buffer overrun vulnerability: resumed sessions must not be modified as they can be shared by multiple threads. CVE-2010-3864 [Steve Henson]
• Fix for double free bug in ssl/s3_clnt.c CVE-2010-2939 [Steve Henson]
• Don't reencode certificate when calculating signature: cache and use the original encoding instead. This makes signature verification of some broken encodings work correctly. [Steve Henson]
• ec2_GF2m_simple_mul bugfix: compute correct result if the output EC_POINT is also one of the inputs. [Emilia Käsper]
• Don't repeatedly append PBE algorithms to table if they already exist. Sort table on each new add. This effectively makes the table read only after all algorithms are added and subsequent calls to PKCS12_pbe_add etc are non-op. [Steve Henson]