Article Source SUSE Linux Security Announcements
1) Problem Description and Brief Discussion
The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection.
This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed.
For example Apache’s mod_ssl was vulnerable to this kind of attack because it uses openssl…