|| ||rPath Update Announcements <firstname.lastname@example.org> |
|| ||email@example.com, firstname.lastname@example.org,
|| ||rPSA-2010-0004-1 openssl openssl-scripts |
|| ||Thu, 14 Jan 2010 18:07:58 -0500|
|| ||email@example.com, firstname.lastname@example.org,
rPath Security Advisory: 2010-0004-1
rPath Appliance Platform Linux Service 2
rPath Linux 2
Exposure Level Classification:
Remote User Deterministic Denial of Service
rPath Issue Tracking System:
In previous versions of openssl, calling CRYPTO_cleanup_all_ex_data
did not properly clean up data structures used in openssl's zlib
compression methods. As a result, applications which called
CRYPTO_cleanup_all_ex_data and subsequently processed SSLv3
requests would leak significant amounts of memory per request.
In particular, this is known to affect systems running Apache httpd
with mod_ssl and the php module loaded. If httpd receives SIGUSR1
(the "graceful" command), subsequent SSLv3 requests will cause
increased memory consumption, and a possible denial-of-service.
On unpatched systems, note that the impact of this vulnerability
can be greatly reduced by tuning the MaxRequestsPerChild
setting in the httpd configuration, as the memory leak does not
affect the parent process.
Copyright 2010 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
to post comments)