> >I'm trying a workaround currently by applying the patch >http://www.openssl.org/news/patch_20020730_0_9_6d.txt >to openssl-0.9.6c. It fails in the CHANGES File, but who cares;-) > >It's compiling now...installing....restarting qpopper.... >Aug 1 15:20:39 xxxxxxx popper[32050]: (v4.0.4-netway) TLSv1/SSLv3 >handshake with client at xxxxxxxxxxx (xxx.xxx.xxx.xx); new session-id; >cipher: DES-CBC3-SHA (DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) >Mac=SHA1), 168 bits >Aug 1 15:20:39 xxxxxxx popper[32050]: Stats: xxxxxxx 0 0 1 379 xxxxxxxxx >xxx.xxx.xxx.xx >Aug 1 15:20:39 xxxxxxx popper[32050]: Timing for xxxxxxx@xxxxxxxxxxxxx >(normal) auth=0 init=0 clean=0 > >There we're again;-) Works perfectly for now...
So it sounds to me like there is a problem in the OpenSSL code. But the question is, does your patch address the buffer overflow vulnerabilities identified by CERT? I figure we can expect to see OpenSSL 9.6f in the next week or so.... hopefully I'm going to love having to re-compile all my ssl apps again... sigh Has anyone notified OpenSSL of this issue?
