Preliminary statement on OpenSSL signature verification API misuse (CVE-2008-5077)
We are delaying the OpenSSL update because we want to make sure that
we only have to release one update, and not two or more. There are
some open questions surrounding the various advisories. As you might
have noticed, the published information is somewhat inconsistent.
Regarding the impact, note that the advisory from OpenSSL
explicitly states that verification of client certificates on the
server side is not affected. On the client side, some Debian packages
do not use OpenSSL for their TLS support (notably Iceweasel).
KDE/Konqueror and wget appear to be affected by this issue, though.
Several parties have verified that OpenSSH uses the relevant OpenSSL
API correctly, even when using DSA keys.