CVE-2008-7270
Published: 6 December 2010
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Notes
Author | Note |
---|---|
jdstrand | per sbeattie, "the same fix for CVE-2010-4180 that's backported will fix it, as the whole SL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG block gets ifdef'd out" |