openssl security update
OpenSSL's internal certificate verification routines could
incorrectly accept a CRL whose nextUpdate field is in the
past (CVE-2011-3207).
Server code for ECDH could crash if it received a specially
crafted handshake message (CVE-2011-3210).
-
Submitted by
Adrian Schröter (adrianSuSE)
- Version 5178
Fixed bugs
bnc#716143
VUL-0: openssl CRL validation flaw
bnc#716144
VUL-0: openssl ECDH crash
CVE#CVE-2011-3207
crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past.
CVE#CVE-2011-3210
The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8r and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages from clients, which allows remote attackers to cause a denial of service (daemon cra
