openssl (0.9.7d-3ubuntu0.3) warty-security; urgency=low
* SECURITY UPDATE: Fix cryptographic weakness.
* ssl/s23_srvr.c:
- When using SSL_OP_MSIE_SSLV2_RSA_PADDING, do not disable the
protocol-version rollback check, so that a man-in-the-middle cannot
force a client and server to fall back to the insecure SSL 2.0 protocol.
- Problem discovered by Yutaka Oiwa.
* References:
CAN-2005-2969
http://www.openssl.org/news/secadv_20051011.txt
-- Martin Pitt <email address hidden> Thu, 13 Oct 2005 09:48:51 +0000