SUSE Security Announcement: openssl

35

1) Problem Description and Brief Discussion

The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection.

This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed.

For example Apache’s mod_ssl was vulnerable to this kind of attack because it uses openssl…