full-disclosure-uk January 2010 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] rPSA-2010-0004-1 openssl o

[Full-disclosure] rPSA-2010-0004-1 openssl openssl-scripts

From: rPath Update Announcements <announce-noreply_at_nospam>
Date: Thu Jan 14 2010 - 23:07:58 GMT
To: product-announce@lists.rpath.com, security-announce@lists.rpath.com, update-announce@lists.rpath.com

rPath Security Advisory: 2010-0004-1
Published: 2010-01-14

    rPath Appliance Platform Linux Service 2     rPath Linux 2

Rating: Severe
Exposure Level Classification:

    Remote User Deterministic Denial of Service Updated Versions:

    openssl=conary.rpath.com@rpl:2/0.9.8g-7.3-1     openssl-scripts=conary.rpath.com@rpl:2/0.9.8g-7.3-1

rPath Issue Tracking System:





    In previous versions of openssl, calling CRYPTO_cleanup_all_ex_data     did not properly clean up data structures used in openssl's zlib     compression methods. As a result, applications which called     CRYPTO_cleanup_all_ex_data and subsequently processed SSLv3     requests would leak significant amounts of memory per request.     

    In particular, this is known to affect systems running Apache httpd     with mod_ssl and the php module loaded. If httpd receives SIGUSR1     (the "graceful" command), subsequent SSLv3 requests will cause     increased memory consumption, and a possible denial-of-service.     

    On unpatched systems, note that the impact of this vulnerability     can be greatly reduced by tuning the MaxRequestsPerChild     setting in the httpd configuration, as the memory leak does not     affect the parent process.


Copyright 2010 rPath, Inc.
This file is distributed under the terms of the MIT License. A copy is available at http://www.rpath.com/permanent/mit-license.html

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/