New version of OpenSSL fixes two vulnerabilities
Version 1.0.0c of the free OpenSSL SSL implementation fixes two vulnerabilities. A flaw in an older workaround for Netscape browsers and servers can be remotely exploited to make an OpenSSL server downgrade the ciphersuite to a weaker one for subsequent connections. This can potentially simplify the cracking of encrypted connections. The update simply disables the workaround.
Another flaw in the implementation of the "Password Authenticated Key Exchange by Juggling" protocol (J-PAKE ) allows intruders to authenticate themselves without a secret key. While this flaw has been fixed in the current version, the developers point out that their implementation is still experimental and not compiled by default.
(ehe)