Gentoo Linux Security Advisory 200912-1 - Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct multiple attacks, including the injection of arbitrary data into encrypted byte streams. Versions less than 0.9.8l-r2 are affected.
705697817c46700fc9df1cb06e10cefe0c615f48bbabe02cd0b7328b880af2b6
HP Security Bulletin - A potential security vulnerability has been identified with HP-UX OpenSSL. The vulnerability could be exploited remotely to inject unauthorized data or to create a Denial of Service (DoS).
cd73e680643ad55bacc1b844331635889880e335ca49e558ebed8d627b969708
Ubuntu Security Notice 860-1 - Marsh Ray and Steve Dispensa discovered a flaw in the TLS and SSLv3 protocols. If an attacker could perform a man in the middle attack at the start of a TLS connection, the attacker could inject arbitrary content at the beginning of the user's session.
36419a2d0978a20b0643789ec59775c195f24212f20fba323782b6fddb302e47
SUSE Security Announcement - The TLS/SSLv3 protocol as implemented in openssl prior to this update was not able to associate already sent data to a renegotiated connection. This allowed man-in-the-middle attackers to inject HTTP requests in a HTTPS session without being noticed. For example Apache's mod_ssl was vulnerable to this kind of attack because it uses openssl. It is believed that this vulnerability is actively exploited in the wild to get access to HTTPS protected web-sites. Please note that renegotiation will be disabled for any application using openssl by this update and may cause problems in some cases. Additionally this attack is not limited to HTTP.
64dd6d04fc2d6d8902730cdd4ebe8561bc511ab3d3891aabc2ba909b1c8b1636
Cisco Security Advisory - An industry-wide vulnerability exists in the Transport Layer Security (TLS) protocol that could impact any Cisco product that uses any version of TLS and SSL. The vulnerability exists in how the protocol handles session renegotiation and exposes users to a potential man-in-the-middle attack.
834e38821f573aad3c161fc1bbd3197b23d825981e7612301a401b08b5f77563
Mandriva Linux Security Advisory 2009-295 - Apache is affected by SSL injection or man-in-the-middle attacks due to a design flaw in the SSL and/or TLS protocols. A short term solution was released Sat Nov 07 2009 by the ASF team to mitigate these problems. Apache will now reject in-session renegotiation. Additionally the SNI patch was upgraded for 2009.0/MES5 and 2009.1. This update provides a solution to this vulnerability.
935c4b64482fa9b56d8b02e7990e9248bda00add21bc8106a5c513319a5275ed
Debian Linux Security Advisory 1934-1 - A design flaw has been found in the TLS and SSL protocol that allows an attacker to inject arbitrary content at the beginning of a TLS/SSL connection. The attack is related to the way how TLS and SSL handle session renegotiations. CVE-2009-3555 has been assigned to this vulnerability.
6409dd2b27e3773afb6cdd3372de85e981de22305a7cd297954a8af170e4460d
OpenSSL Security Advisory 20091111 - A potentially serious flaw in SSL and TLS has been worked around in OpenSSL 0.9.8l.
24ada18a3645b050a214aa19e0d78749f897837c4a7958bb3336c828135c7e9e
OpenSSL is a robust, fully featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols with full-strength cryptography world-wide.
ecd054e9eed2e9c1620ba15257e6fc4d882c9a4aea663d23b769e2138de8c91a