Update 1: Apple posts support document for iOS 4.3.5:
iOS 4.3.5 Software Update
- Data Security
Available for: iOS 3.0 through 4.3.4 for iPhone 3GS and iPhone 4 (GSM), iOS 3.1 through 4.3.4 for iPod touch (3rd generation) and later, iOS 3.2 through 4.3.4 for iPad
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS. Other attacks involving X.509 certificate validation may also be possible. This issue is addressed through improved validation of X.509 certificate chains.
CVE-ID
CVE-2011-0228 : Gregor Kopf of Recurity Labs on behalf of BSI, and Paul Kehrer of Trustwave’s SpiderLabs
Apple has just released iOS 4.3.5 to fix a security issue (as first noted by MacStories), and most likely a bunch of bug fixes as always. The change log reads:
Fixes a security vulnerability with certificate validation.
The update is available for the iPhone 4, iPhone 3GS, iPad, iPad 2, and 3rd and 4th gen iPod touch. If you’re on a jailbroken device using iOS 4.3.3, do not update as this will erase your jailbreak. iOS 4.3.4 was released only ten days ago.
