Date: Tue, 24 Apr 2001 15:40:07 -0400
From: Jim Knoble <[email protected]>
To: [email protected]Subject: OpenSSL-0.9.6a has security fixes
--0IvGJv3f9h+YhkrH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
This doesn't seem to have been announced here: OpenSSL-0.9.6a appears
to have been released somewhat quietly, and also appears to include
several security fixes:
- Security fix: change behavior of OpenSSL to avoid using environment
variables when running as root.
=20
- Security fix: check the result of RSA-CRT to reduce the possibility
of deducing the private key from an incorrectly calculated signature.
=20
- Security fix: prevent Bleichenbacher's DSA attack.=20
=20
- Security fix: Zero the premaster secret after deriving the master
secret in DH ciphersuites.
Also:
We consider OpenSSL 0.9.6a to be the best version of OpenSSL
available and we strongly recommend that users of older versions,
especially of old SSLeay versions, upgrade as soon as possible.
Complete text of the announcement available at:
http://www.openssl.org/news/announce.html
--=20
jim knoble | [email protected] | http://www.jmknoble.cx/
(GnuPG fingerprint: 31C4:8AAC:F24E:A70C:4000::BBF4:289F:EAA8:1381:1491)
--0IvGJv3f9h+YhkrH
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (Linux)
Comment: finger [email protected] for GnuPG public key
iEYEARECAAYFAjrl1pcACgkQKJ/qqBOBFJEH1ACbBbQ81tGoDFmrKBppuy8+w9+E
lDoAnjqKwG/KsK6Z4uT/V3iNARN2cX68
=tL7t
-----END PGP SIGNATURE-----
--0IvGJv3f9h+YhkrH--
