OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jim Knoble (jmknobleJMKNOBLE.CX)
Date: Tue Apr 24 2001 - 14:40:07 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    This doesn't seem to have been announced here: OpenSSL-0.9.6a appears
    to have been released somewhat quietly, and also appears to include
    several security fixes:

      - Security fix: change behavior of OpenSSL to avoid using environment
        variables when running as root.
      
      - Security fix: check the result of RSA-CRT to reduce the possibility
        of deducing the private key from an incorrectly calculated signature.
      
      - Security fix: prevent Bleichenbacher's DSA attack.
      
      - Security fix: Zero the premaster secret after deriving the master
        secret in DH ciphersuites.

    Also:

      We consider OpenSSL 0.9.6a to be the best version of OpenSSL
      available and we strongly recommend that users of older versions,
      especially of old SSLeay versions, upgrade as soon as possible.

    Complete text of the announcement available at:

      http://www.openssl.org/news/announce.html

    -- 
    jim knoble | jmknoblejmknoble.cx | http://www.jmknoble.cx/
    (GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
    

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (Linux) Comment: finger jmknoblepobox.com for GnuPG public key

    iEYEARECAAYFAjrl1pcACgkQKJ/qqBOBFJEH1ACbBbQ81tGoDFmrKBppuy8+w9+E lDoAnjqKwG/KsK6Z4uT/V3iNARN2cX68 =tL7t -----END PGP SIGNATURE-----