Hi,
Thanks to fix CVE-2009-4355, dev-team. But description about this
change in CHANGES file is incorrect. Please fix it.
On branch OpenSSL_0_9_8-stable, in CHANGES:
*) Modify compression code so it frees up structures without using the
ex_data callbacks. This works around a problem where some applications
call CRYPTO_free_all_ex_data() before application exit (e.g. when
restarting) then use compression (e.g. SSL with compression) later.
This results in significant per-connection memory leaks and
has caused some security issues including CVE-2008-1678 and
CVE-2009-4355.
[Steve Henson]
http://cvs.openssl.org/fileview?f=openssl/CHANGES&v=1.1238.2.181
"CRYPTO_free_all_ex_data()" is not correct. Such function does not
exist in openssl-0.9.8l distribution. I think it should be
"CRYPTO_cleanup_all_ex_data()".
Thanks,
--
Sahara
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
