vulnerability in openssl

For openssl 0.9.7 I filed a sync request to update to version 0.9.7k-1 from Debian unstable (bug 62518).

Reassigning to openssl097, openssl itself was already fixed three weeks ago in USN-339-1.

Edgy contains now openssl097 0.9.7k-2.

It's universe, but I'll fix it for dapper, too.

 openssl097 (0.9.7g-5ubuntu1.1) dapper-security; urgency=low
 .
   * SECURITY UPDATE: Multiple vulnerabilities.
   * Apply http://www.openssl.org/news/patch-CVE-2006-4339.txt:
     - Check excessive data in padding of PKCS #1 v1.5 signatures to prevent
       applications from incorrectly verifying the certificate. [CVE-2006-4339]
     - http://www.openssl.org/news/secadv_20060905.txt
   * crypto/asn1/tasn_dec.c, asn1_d2i_ex_primitive(): Initialize 'ret' to avoid
     an infinite loop in some circumstances. [CVE-2006-2937]
   * ssl/ssl_lib.c, SSL_get_shared_ciphers(): Fix len comparison to correctly
     handle invalid long cipher list strings. [CVE-2006-3738]
   * ssl/s2_clnt.c, get_server_hello(): Check for NULL session certificate to
     avoid client crash with malicious server responses. [CVE-2006-4343]
   * Certain types of public key could take disproportionate amounts of time to
     process. Apply patch from Bodo Moeller to impose limits to public key type
     values (similar to Mozilla's libnss). Fixes CPU usage/memory DoS. [CVE-2006-2940]

Just released, should be on the mirrors in about two hours.