Contributed by ray on from the CYA dept.
Thanks Damien for the update. Start your patching!
Some exploitable logic errors have been discovered in OpenSSL versions prior to 0.9.8j. These errors may permit an attacker to bypass validation of DSA/ECDSA certificates and conduct a "man in the middle attack" against SSL/TLS connection that use them. Fortunately, DSA and ECDSA certificates appear to be rarely used in practice.
This vulnerability has been designated CVE-2008-5077. More information is available from the OpenSSL project at:
Patch for OpenBSD 4.3:
Patch for OpenBSD 4.4:
These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4 stable CVS branches.
(Comments are closed)