Index: CHANGES
===================================================================
RCS file: /e/openssl/cvs/openssl/CHANGES,v
retrieving revision 1.1238.2.86
diff -u -r1.1238.2.86 CHANGES
--- CHANGES	28 Feb 2008 13:35:58 -0000	1.1238.2.86
+++ CHANGES	22 May 2008 09:19:30 -0000
@@ -4,6 +4,10 @@
 
  Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
 
+  *) Fix flaw if 'Server Key exchange message' is omitted from a TLS
+     handshake which could lead to a cilent crash as found using the
+     Codenomicon TLS test suite (CVE-2008-1672) [Steve Henson, Mark Cox]
+
   *) Fix BN flag handling in RSA_eay_mod_exp() and BN_MONT_CTX_set()
      to get the expected BN_FLG_CONSTTIME behavior.
      [Bodo Moeller (Google)]
Index: ssl/s3_clnt.c
===================================================================
RCS file: /e/openssl/cvs/openssl/ssl/s3_clnt.c,v
retrieving revision 1.88.2.12
diff -u -r1.88.2.12 s3_clnt.c
--- ssl/s3_clnt.c	3 Nov 2007 13:07:39 -0000	1.88.2.12
+++ ssl/s3_clnt.c	22 May 2008 09:19:30 -0000
@@ -2061,6 +2061,13 @@
 			{
 			DH *dh_srvr,*dh_clnt;
 
+                        if (s->session->sess_cert == NULL) 
+                                {
+                                ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_UNEXPECTED_MESSAGE);
+                                SSLerr(SSL_F_SSL3_SEND_CLIENT_KEY_EXCHANGE,SSL_R_UNEXPECTED_MESSAGE);
+                                goto err;
+                                }
+
 			if (s->session->sess_cert->peer_dh_tmp != NULL)
 				dh_srvr=s->session->sess_cert->peer_dh_tmp;
 			else