Security update for OpenSSL
The OpenSSL developers have released version 0.9.8k which eliminates three vulnerabilities in the processing of certificates. One eliminated error could cause any OpenSSL-based application, such as SSL servers, clients or S/MIME software, to crash when printing or displaying a manipulated certificate. Another error, in the verification of CMS (Cryptographic Message Syntax) secured communications that allowed malformed attributes in a certificate, could make a certificate appear valid, even though it was not.
On some operating systems, a malformed ASN1 structure could, when freed, cause an invalid memory access. The problem only occurs on systems where
sizeof(long) < sizeof(void *) such as 64 bit windows.
- OpenSSL Security Advisory (25-Mar-2009), OpenSSL advisory.