Some exploitable logic errors have been discovered in OpenSSL versions
prior to 0.9.8j. These errors may permit an attacker to bypass
validation of DSA/ECDSA certificates and conduct a "man in the middle
attack" against SSL/TLS connection that use them. Fortunately, DSA and
ECDSA certificates appear to be rarely used in practice.
This vulnerability has been designated CVE-2008-5077. More information
is available from the OpenSSL project at:
http://www.openssl.org/news/secadv_20090107.txtSource code patches are available for OpenBSD 4.3 and 4.4. -current has
been updated to OpenSSL 0.9.8j
Patch for OpenBSD 4.3:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/007_openssl.patch
Patch for OpenBSD 4.4:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.4/common/007_openssl.patch
These patches are also available in the OPENBSD_4_3 and OPENBSD_4_4
stable CVS branches.