diff -u openssl-0.9.8b/ssl/ssl_lib.c openssl-0.9.8b/ssl/ssl_lib.c
--- openssl-0.9.8b/ssl/ssl_lib.c
+++ openssl-0.9.8b/ssl/ssl_lib.c
@@ -1201,7 +1201,6 @@
 char *SSL_get_shared_ciphers(const SSL *s,char *buf,int len)
 	{
 	char *p;
-	const char *cp;
 	STACK_OF(SSL_CIPHER) *sk;
 	SSL_CIPHER *c;
 	int i;
@@ -1214,20 +1213,20 @@
 	sk=s->session->ciphers;
 	for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 		{
-		/* Decrement for either the ':' or a '\0' */
-		len--;
 		c=sk_SSL_CIPHER_value(sk,i);
-		for (cp=c->name; *cp; )
+		int n;
+		n=strlen(c->name);
+		if (n+1 > len)
 			{
-			if (len-- <= 0)
-				{
-				*p='\0';
-				return(buf);
-				}
-			else
-				*(p++)= *(cp++);
+			if (p != buf)
+				--p;
+			*p='\0';
+			return buf;
 			}
+		strcpy(p,c->name);
+		p+=n;
 		*(p++)=':';
+		len-=n+1;
 		}
 	p[-1]='\0';
 	return(buf);
diff -u openssl-0.9.8b/Makefile openssl-0.9.8b/Makefile
--- openssl-0.9.8b/Makefile
+++ openssl-0.9.8b/Makefile
@@ -12,9 +12,9 @@
 SHLIB_MAJOR=0
 SHLIB_MINOR=9.8
 SHLIB_EXT=.so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-PLATFORM=debian-amd64
+PLATFORM=debian-i386
 OPTIONS=--prefix=/usr --openssldir=/usr/lib/ssl enable-zlib no-gmp no-idea no-krb5 no-mdc2 no-rc5 no-shared no-zlib-dynamic
-CONFIGURE_ARGS=--prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib debian-amd64
+CONFIGURE_ARGS=--prefix=/usr --openssldir=/usr/lib/ssl no-idea no-mdc2 no-rc5 zlib debian-i386
 SHLIB_TARGET=linux-shared
 
 # HERE indicates where this Makefile lives.  This can be used to indicate
@@ -60,7 +60,7 @@
 # PKCS1_CHECK - pkcs1 tests.
 
 CC= gcc
-CFLAG= -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall -DMD32_REG_T=int -DMD5_ASM
+CFLAG= -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DL_ENDIAN -DTERMIO -O3 -Wa,--noexecstack -g -Wall
 DEPFLAG= -DOPENSSL_NO_GMP -DOPENSSL_NO_IDEA -DOPENSSL_NO_MDC2 -DOPENSSL_NO_RC5 
 PEX_LIBS= 
 EX_LIBS= -ldl -lz
@@ -86,15 +86,15 @@
 PROCESSOR= 
 
 # CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= x86_64cpuid.o
-BN_ASM= x86_64-gcc.o
+CPUID_OBJ= 
+BN_ASM= bn_asm.o
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ASM_OBJ= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
 CAST_ENC= c_enc.o
 RC4_ENC= rc4_enc.o
 RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ= md5-x86_64.o
+MD5_ASM_OBJ= 
 SHA1_ASM_OBJ= 
 RMD160_ASM_OBJ= 
 
@@ -143,7 +143,7 @@
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=.so
-SHARED_LDFLAGS=-m64 -Wl,--version-script=openssl.ld
+SHARED_LDFLAGS= -Wl,--version-script=openssl.ld
 
 GENERAL=        Makefile
 BASENAME=       openssl
diff -u openssl-0.9.8b/debian/changelog openssl-0.9.8b/debian/changelog
--- openssl-0.9.8b/debian/changelog
+++ openssl-0.9.8b/debian/changelog
@@ -1,3 +1,14 @@
+openssl (0.9.8b-2ubuntu2.1) edgy-security; urgency=low
+
+  * SECURITY UPDATE: OpenSSL SSL_get_shared_ciphers() off-by-one buffer overflow
+  * ssl/ssl_lib.c: Applied patch from openssl CVS to fix this bug. (LP: #146269)
+                   Read http://cvs.openssl.org/chngview?cn=16587
+  * References:
+    CVE-2007-5135
+    http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded
+
+ -- Stephan Hermann <sh@sourcecode.de>  Fri, 28 Sep 2007 15:00:04 +0200
+
 openssl (0.9.8b-2ubuntu2) edgy; urgency=low
 
   * SECURITY UPDATE: Remote arbitrary code execution, remote DoS.
diff -u openssl-0.9.8b/crypto/opensslconf.h openssl-0.9.8b/crypto/opensslconf.h
--- openssl-0.9.8b/crypto/opensslconf.h
+++ openssl-0.9.8b/crypto/opensslconf.h
@@ -50,8 +50,6 @@
 # endif
 #endif
 
-#define OPENSSL_CPUID_OBJ
-
 /* crypto/opensslconf.h.in */
 
 /* Generate 80386 code? */
@@ -91,14 +89,14 @@
  * - Intel P6 because partial register stalls are very expensive;
  * - elder Alpha because it lacks byte load/store instructions;
  */
-#define RC4_INT unsigned char
+#define RC4_INT unsigned int
 #endif
 #if !defined(RC4_CHUNK)
 /*
  * This enables code handling data aligned at natural CPU word
  * boundary. See crypto/rc4/rc4_enc.c for further details.
  */
-#define RC4_CHUNK unsigned long
+#undef RC4_CHUNK
 #endif
 #endif
 
@@ -106,13 +104,13 @@
 /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
  * %20 speed up (longs are 8 bytes, int's are 4). */
 #ifndef DES_LONG
-#define DES_LONG unsigned int
+#define DES_LONG unsigned long
 #endif
 #endif
 
 #if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H)
 #define CONFIG_HEADER_BN_H
-#undef BN_LLONG
+#define BN_LLONG
 
 /* Should we define BN_DIV2W here? */
 
@@ -120,9 +118,9 @@
 /* The prime number generation stuff may not work when
  * EIGHT_BIT but I don't care since I've only used this mode
  * for debuging the bignum libraries */
-#define SIXTY_FOUR_BIT_LONG
+#undef SIXTY_FOUR_BIT_LONG
 #undef SIXTY_FOUR_BIT
-#undef THIRTY_TWO_BIT
+#define THIRTY_TWO_BIT
 #undef SIXTEEN_BIT
 #undef EIGHT_BIT
 #endif
@@ -131,12 +129,12 @@
 #define CONFIG_HEADER_RC4_LOCL_H
 /* if this is defined data[i] is used instead of *data, this is a %20
  * speedup on x86 */
-#undef RC4_INDEX
+#define RC4_INDEX
 #endif
 
 #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
 #define CONFIG_HEADER_BF_LOCL_H
-#define BF_PTR2
+#undef BF_PTR
 #endif /* HEADER_BF_LOCL_H */
 
 #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
@@ -145,14 +143,14 @@
 /* the following is tweaked from a config script, that is why it is a
  * protected undef/define */
 #ifndef DES_PTR
-#undef DES_PTR
+#define DES_PTR
 #endif
 
 /* This helps C compiler generate the correct code for multiple functional
  * units.  It reduces register dependancies at the expense of 2 more
  * registers */
 #ifndef DES_RISC1
-#undef DES_RISC1
+#define DES_RISC1
 #endif
 
 #ifndef DES_RISC2