On Mon, Dec 06, 2010, Jean-Marc Desperrier wrote: > OpenSSL wrote: >> OpenSSL Ciphersuite Downgrade Attack >> ===================================== >> >> A flaw has been found in the OpenSSL SSL/TLS server code where an old bug >> workaround allows malicous clients to modify the stored session cache >> ciphersuite. In some cases the ciphersuite can be downgraded to a weaker >> one >> on subsequent connections. >> >> The OpenSSL security team would like to thank Martin Rex for reporting >> this >> issue. >> >> This vulnerability is tracked as CVE-2010-4180 > > I understand that RedHat had already identified this issue five years ago : > https://bugzilla.redhat.com/show_bug.cgi?id=175779 > > You should have a better channel of communication with RedHat so that when > they find something like that, they communicate it to you, even when it's > about something that they see as a minor issue. >
That is actually a different issue AFAICS. In that case a ciphersuite not supported by the server can be used. That was fixed here: http://cvs.openssl.org/chngview?cn=17490 Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
