OpenSSL v0.9.8.m Release Notes

Release Date: 2010-03-24 // over 11 years ago
    • When rejecting SSL/TLS records due to an incorrect version number, never update s->server with a new major version number. As of
      • OpenSSL 0.9.8m if 'short' is a 16-bit type,
      • OpenSSL 0.9.8f if 'short' is longer than 16 bits, the previous behavior could result in a read attempt at NULL when receiving specific incorrect SSL/TLS records once record payload protection is active. [CVE-2010-0740][]

    Bodo Moeller, Adam Langley [email protected]

    • Fix for CVE-2010-0433 where some kerberos enabled versions of OpenSSL could be crashed if the relevant tables were not present (e.g. chrooted).

    Tomas Hoger [email protected]