Update: CERT also has released advisory CA-2002-23 with vendor-specific patch links for major operating systems.

The OpenSSL group has issued a
security advisory for five vulnerabilities, including a remote overflow in the SSL2 client master key handling which has been
proven to be exploitable. Versions 0.9.6.d and earlier, as well as 0.9.7-beta2 and earlier, are affected.

The vulnerabilities have been patched in 0.9.6.e and 0.9.7-beta3, which are available at the OpenSSL website. Unfortunately, their servers are being hammered because of a Slashdot article and might be inaccessible, so we’ve copied their mirror page so you can find alternative download locations.

We also are temporarily hosting the files ourselves, since many mirrors didn’t get a chance to grab them:

• openssl-engine-0.9.6e.tar.gz
• openssl-engine-0.9.6e.tar.gz.md5
• openssl-engine-0.9.6e.tar.gz.asc
• openssl-0.9.7-beta3.tar.gz
• openssl-0.9.7-beta3.tar.gz.md5

Hideaway.Net is N-Stalker’s premier distributor and support agent in the US. They have operated their security portal since 1997, and are committed to working with us to dissemminate security software, vulnerability information, and patch details.