SECURITY FIX: Dec 2, 1999
A buffer overflow in the RSAREF code included in the
USA version of the libssl package (called sslUSA, is
possibly exploitable in isakmpd if SSL/RSA features
are enabled or used.
OpenSSH and httpd (with -DSSL) are not
vulnerable.
NOTE: International users using the ssl26 package are not affected.
To check what package you are using, use
# pkg_info sslUSA26
The patched library says:
"ssl26.1 USA-only non-commercial crypto libs incl. SSL & RSA"
Non-commercial USA users who installed the ssl package before December 3
should upgrade their sslUSA26 package using:
# pkg_delete sslUSA26
# pkg_add -v sslUSA26.tar.gz
Using the new sslUSA26.tar.gz files which have been placed
on the FTP mirrors.
For more information, see the advisory.