The OpenSSL certificate checking routines EVP_VerifyFinal can return negative values and 0 on failure. In some places negative values were not checked and considered successful verification. Prior to this update it was possible to bypass the certification chain checks of openssl. This advisory is for the updates that improve the verification of return values inside the OpenSSL library itself. Several client programs also need to receive fixes to check that return value. A bind update which fixes this was already released yesterday, tracked in SUSE-SA:2009:005. A boinc-client and libnasl update was also released yesterday. Updates for ntp,xntp, and eID-Belgium are being prepared.