|Main Archive Page > Month Archives > full-disclosure-uk archives|
rPath Security Advisory: 2010-0004-1
rPath Appliance Platform Linux Service 2 rPath Linux 2
Exposure Level Classification:
Remote User Deterministic Denial of Service Updated Versions:
rPath Issue Tracking System:
In previous versions of openssl, calling CRYPTO_cleanup_all_ex_data did not properly clean up data structures used in openssl's zlib compression methods. As a result, applications which called CRYPTO_cleanup_all_ex_data and subsequently processed SSLv3 requests would leak significant amounts of memory per request.
In particular, this is known to affect systems running Apache httpd with mod_ssl and the php module loaded. If httpd receives SIGUSR1 (the "graceful" command), subsequent SSLv3 requests will cause increased memory consumption, and a possible denial-of-service.
On unpatched systems, note that the impact of this vulnerability can be greatly reduced by tuning the MaxRequestsPerChild setting in the httpd configuration, as the memory leak does not affect the parent process.
Copyright 2010 rPath, Inc.
This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html