full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] rPSA-2010-0004-1 openssl o

[Full-disclosure] rPSA-2010-0004-1 openssl openssl-scripts

From: rPath Update Announcements <announce-noreply_at_nospam>
Date: Thu Jan 14 2010 - 23:07:58 GMT
To: product-announce@lists.rpath.com, security-announce@lists.rpath.com, update-announce@lists.rpath.com


rPath Security Advisory: 2010-0004-1
Published: 2010-01-14
Products:

    rPath Appliance Platform Linux Service 2     rPath Linux 2

Rating: Severe
Exposure Level Classification:

    Remote User Deterministic Denial of Service Updated Versions:

    openssl=conary.rpath.com@rpl:2/0.9.8g-7.3-1     openssl-scripts=conary.rpath.com@rpl:2/0.9.8g-7.3-1

rPath Issue Tracking System:

    https://issues.rpath.com/browse/RPL-3157

References:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355

Description:

    In previous versions of openssl, calling CRYPTO_cleanup_all_ex_data     did not properly clean up data structures used in openssl's zlib     compression methods. As a result, applications which called     CRYPTO_cleanup_all_ex_data and subsequently processed SSLv3     requests would leak significant amounts of memory per request.     

    In particular, this is known to affect systems running Apache httpd     with mod_ssl and the php module loaded. If httpd receives SIGUSR1     (the "graceful" command), subsequent SSLv3 requests will cause     increased memory consumption, and a possible denial-of-service.     

    On unpatched systems, note that the impact of this vulnerability     can be greatly reduced by tuning the MaxRequestsPerChild     setting in the httpd configuration, as the memory leak does not     affect the parent process.

http://wiki.rpath.com/Advisories:rPSA-2010-0004

Copyright 2010 rPath, Inc.
This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/