Debian: DSA-1970-1: New openssl packages fix denial of service

    Date13 Jan 2010
    CategoryDebian
    43
    Posted ByLinuxSecurity Advisories
    It was discovered that a significant memory leak could occur in openssl, related to the reinitialization of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd server in a configuration where mod_ssl, mod_php5, and the php5-curl
    
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1970-1                  This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                           Stefan Fritsch
    January 13, 2010                      http://www.debian.org/security/faq
    - ------------------------------------------------------------------------
    
    Package        : openssl
    Vulnerability  : denial of service
    Problem type   : remote
    Debian-specific: no
    CVE Id         : CVE-2009-4355
    
    It was discovered that a significant memory leak could occur in openssl,
    related to the reinitialization of zlib. This could result in a remotely
    exploitable denial of service vulnerability when using the Apache httpd
    server in a configuration where mod_ssl, mod_php5, and the php5-curl
    extension are loaded.
    
    The old stable distribution (etch) is not affected by this issue.
    
    For the stable distribution (lenny), this problem has been fixed in
    version 0.9.8g-15+lenny6.
    
    The packages for the arm architecture are not included in this advisory.
    They will be released as soon as they become available.
    
    For the testing distribution (squeeze) and the unstable distribution
    (sid), this problem will be fixed soon. The issue does not seem to be
    exploitable with the apache2 package contained in squeeze/sid.
    
    We recommend that you upgrade your openssl packages. You also need to
    restart your Apache httpd server to make sure it uses the updated
    libraries.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    If you use apache2, you should restart it to make sure that it uses the
    updated libraries:
    
    /etc/init.d/apache2 restart
    
    Debian GNU/Linux 5.0 alias lenny (stable)
    - -----------------------------------------
    
    Stable updates are available for alpha, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
        Size/MD5 checksum:  3354792 acf70a16359bf3658bdfb74bda1c4419
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.dsc
        Size/MD5 checksum:     1973 3240bf459cdb8947e48f2dbefe57a280
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.diff.gz
        Size/MD5 checksum:    59104 06bb67baea434b022552960e6cd0f316
    
    alpha architecture (DEC Alpha)
    
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_alpha.udeb
        Size/MD5 checksum:   722026 684030ca277ee132aedb6377b8d7f4e9
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_alpha.deb
        Size/MD5 checksum:  1028856 7ee53ab22e9b6211e4a043dcebe8c91a
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_alpha.deb
        Size/MD5 checksum:  2813580 c5623a1bc1363cdda859a7fb7821f26e
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_alpha.deb
        Size/MD5 checksum:  4369342 a5c5c8e0fabeab67421ddcd3143fc14e
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_alpha.deb
        Size/MD5 checksum:  2582954 e78239c77c259265884f0fc3a916c1da
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_amd64.udeb
        Size/MD5 checksum:   638372 b6aefcac5fe4c7b506fd328594a7ef1e
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_amd64.deb
        Size/MD5 checksum:   975718 d993a3bf5c2b714f34241d4129c5cd91
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_amd64.deb
        Size/MD5 checksum:  1043198 c4d0fa66bbf6bb9a85a5c926d6d32823
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_amd64.deb
        Size/MD5 checksum:  2242218 4eabde020e8cbcab26342fa0ce1c6d94
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_amd64.deb
        Size/MD5 checksum:  1627524 dc09c2e462fe448ed63fe884dbc03c9c
    
    armel architecture (ARM EABI)
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_armel.deb
        Size/MD5 checksum:  1030998 d505cd8eb7543ca6726fdc91de4d823a
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_armel.deb
        Size/MD5 checksum:   850364 c90307d3eb1fc6b9c0a88cfe3f3ce49e
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_armel.deb
        Size/MD5 checksum:  1508384 7f7e664d2c2187df7314c16963bcbec4
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_armel.deb
        Size/MD5 checksum:  2100080 23b91062f109f6a5b8038142b96aa6ac
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_armel.udeb
        Size/MD5 checksum:   540714 a27289a8f7c165c9a1d3bc1e5e47d860
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_hppa.deb
        Size/MD5 checksum:   968454 307320e4435ac4f745c4589edac24c44
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_hppa.deb
        Size/MD5 checksum:  1524864 a385c063f0c7bb11d03f0b10af0ae9e2
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_hppa.deb
        Size/MD5 checksum:  2269664 3b20cf2dc9939fe2e7b3f3d0a2ab8022
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_hppa.deb
        Size/MD5 checksum:  1046148 7093672ffc82c1f073e7bd9b362622d6
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_hppa.udeb
        Size/MD5 checksum:   634496 0e4ca720c1f5f756160d5658b6876ace
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_i386.deb
        Size/MD5 checksum:  2111886 07b55073b62f613cc0866f100d7da71a
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_i386.udeb
        Size/MD5 checksum:   591656 24ec3a4b4a96ddfdec5aa478eb31d0b0
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_i386.deb
        Size/MD5 checksum:  5389130 70fd24d33bd15049405591f9fc2bbcd1
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_i386.deb
        Size/MD5 checksum:  1036390 edeadbfad4cb91701d0d854a809f587d
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_i386.deb
        Size/MD5 checksum:  2975114 5e64360f2e6dd5ac7c01be5700352c3e
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_ia64.deb
        Size/MD5 checksum:  1091724 02f18d38bd0d81ad842c0a98e717e0d6
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_ia64.deb
        Size/MD5 checksum:  1282602 288f179800dc55c7a4329b11a6d8606d
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_ia64.udeb
        Size/MD5 checksum:   865448 1897cc56f80ba69a6436e35cab884426
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_ia64.deb
        Size/MD5 checksum:  2659298 b0618ea500638424b18abc94e4116b8e
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_ia64.deb
        Size/MD5 checksum:  1466720 02f43deb94f7ca8c7fc14726e0c546e2
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mips.deb
        Size/MD5 checksum:  2305674 af7113bfec7e8b0e68df37ed5f738f64
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mips.deb
        Size/MD5 checksum:  1025046 4e292bdc8f72ed8501e5023feb8b02ca
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mips.udeb
        Size/MD5 checksum:   585108 54d6ca56986ed39dabd7f4abe9d39fea
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mips.deb
        Size/MD5 checksum:  1624960 7917a77cac88a712d07667b3a52f512c
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mips.deb
        Size/MD5 checksum:   899692 d91d59db784860acb0d1754e1e3ae6dc
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mipsel.udeb
        Size/MD5 checksum:   572340 f20f86629cf0413e991ada8d8709ab6a
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mipsel.deb
        Size/MD5 checksum:  2295270 291cd9b3b9716927c199e36ac99cfcdd
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mipsel.deb
        Size/MD5 checksum:  1588064 7a33af46eb5c6fdf29ecd4ccc72fd57a
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mipsel.deb
        Size/MD5 checksum:  1012028 2353015991c7ca5942461695029eba00
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mipsel.deb
        Size/MD5 checksum:   885438 835d6a08a8d0d3dfd12969df207749b1
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_powerpc.deb
        Size/MD5 checksum:  1035248 957678dd206e9da5eeb00812110ac4cc
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_powerpc.deb
        Size/MD5 checksum:  1643378 515ead9be6696f9f7cee90acad723e8a
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_powerpc.udeb
        Size/MD5 checksum:   656142 1c55ca2a303a068dc58b48e41106a372
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_powerpc.deb
        Size/MD5 checksum:  2244176 14b5fae6837849223de16552f48afd96
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_powerpc.deb
        Size/MD5 checksum:  1000474 d5b0c8be8037fa8eb31e128195d73777
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_s390.deb
        Size/MD5 checksum:  1602212 05dc99a65418f046330904a95c6e521d
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_s390.udeb
        Size/MD5 checksum:   692806 efbc1a57f8d002259252d3279bee81d0
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_s390.deb
        Size/MD5 checksum:  1051028 5b3fb31b94c4a6bf6a8d2612a062e665
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_s390.deb
        Size/MD5 checksum:  1024346 a2189af0b6688ed65478cb88b818754b
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_s390.deb
        Size/MD5 checksum:  2231392 1066a2bce93b8eddc9a030bdf0529ced
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_sparc.deb
        Size/MD5 checksum:  2289642 ce5da789600c428462beb658b427d781
      http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_sparc.deb
        Size/MD5 checksum:  1044934 f75ef304db194c15ea2de34f841b5825
      http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_sparc.deb
        Size/MD5 checksum:  2141914 cab94489e491e76c7718dd8f88f89049
      http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_sparc.udeb
        Size/MD5 checksum:   580378 2bfe10092e4cb83d8f4602a3f48ddb75
      http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_sparc.deb
        Size/MD5 checksum:  3873244 ad31823167dbebe72337f242a2f1cb06
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and http://packages.debian.org/
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"24","type":"x","order":"1","pct":54.55,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":11.36,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"15","type":"x","order":"3","pct":34.09,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.