Debian: DSA-2125-1 Critical OpenSSL Buffer Overflow Attack
debian
November 22, 2010
A flaw has been found in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack
Topics Covered
Summary
However, not all OpenSSL based SSL/TLS servers are vulnerable: A server
is vulnerable if it is multi-threaded and uses OpenSSL's internal caching
mechanism. In particular the Apache HTTP server (which never uses OpenSSL
internal caching) and Stunnel (which includes its own workaround) are NOT
affected.
This upgrade fixes this issue. After the upgrade, any services using the
openssl libraries need to be restarted. The checkrestart script from the
debian-goodies package or lsof can help to find out which services need
to be restarted.
A note to users of the tor packages from the Debian backports or Debian
volatile: This openssl update causes problems with some versions of tor.
You need to update to tor 0.2.1.26-4~bpo50+1 or 0.2.1.26-1~lennyvolatile2,
respectively. The tor package version 0.2.0.35-1~lenny2 from Debian stable
is not affected by these problems.
For the stable distribution (lenny), the problem has been fixed in
openssl version 0.9.8g-15+lenny9.
For the testing distribution (squeeze) and...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!