Gentoo Attachment #154343 for bug #223429

View | Details | Raw Unified
Collapse All | Expand All

(-) CHANGES (+4 lines)

Lines 4-9	Link Here

 Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]

 Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]

  *) Fix flaw if 'Server Key exchange message' is omitted from a TLS

     handshake which could lead to a cilent crash as found using the

     Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox]

  *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()

  *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()

     to get the expected BN_FLG_CONSTTIME behavior.

     to get the expected BN_FLG_CONSTTIME behavior.

     [Bodo Moeller (Google)]

     [Bodo Moeller (Google)]

(-) ssl/s3_clnt.c (+7 lines)

Lines 2061-2066	Link Here

			DH *dh_srvr,*dh_clnt;

			DH *dh_srvr,*dh_clnt;

                        if (s->session->sess_cert == NULL)

                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);

                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);

                                goto err;

			if (s->session->sess_cert->peer_dh_tmp != NULL)

			if (s->session->sess_cert->peer_dh_tmp != NULL)

				dh_srvr=s->session->sess_cert->peer_dh_tmp;

				dh_srvr=s->session->sess_cert->peer_dh_tmp;

			else

			else

Attachment #154343: openssl-0.9.8g-CVE-2008-1672.patch for bug #223429