CVE-2008-0891

Publication date 29 May 2008

Last updated 4 August 2025

Description

Double free vulnerability in OpenSSL 0.9.8f and 0.9.8g, when the TLS server name extensions are enabled, allows remote attackers to cause a denial of service (crash) via a malformed Client Hello packet. NOTE: some of these details are obtained from third party information.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
openssl	8.04 LTS hardy	Fixed 0.9.8g-4ubuntu3.3
	7.10 gutsy	Not affected
	7.04 feisty	Not affected
	6.06 LTS dapper	Not affected

How can I get the fixes?
What do statuses mean?

Notes

kees

I don't think we're compile with this option at all?

jdstrand

tlsext not enabled until 0.9.8g-5, so this is negligible on hardy

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-620-1
OpenSSL vulnerabilities
26 June 2008

Other references

http://www.openssl.org/news/secadv_20080528.txt
https://www.cve.org/CVERecord?id=CVE-2008-0891