OpenSSL wrote:
OpenSSL Ciphersuite Downgrade Attack
=====================================
A flaw has been found in the OpenSSL SSL/TLS server code where an old bug
workaround allows malicous clients to modify the stored session cache
ciphersuite. In some cases the ciphersuite can be downgraded to a weaker one
on subsequent connections.
The OpenSSL security team would like to thank Martin Rex for reporting this
issue.
This vulnerability is tracked as CVE-2010-4180
I understand that RedHat had already identified this issue five years
ago : https://bugzilla.redhat.com/show_bug.cgi?id=175779
You should have a better channel of communication with RedHat so that
when they find something like that, they communicate it to you, even
when it's about something that they see as a minor issue.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
