Forum: >>> Magnum BBS <<<

[SECURITY] [DSA-1970-1] New openssl packages fix denial of service (1/2

From Stefan Fritsch@1:229/2 to All on Wed Jan 13 19:50:01 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-1970-1 [email protected] http://www.debian.org/security/ Stefan Fritsch January 13, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : openssl
Vulnerability : denial of service
Problem type : remote
Debian-specific: no
CVE Id : CVE-2009-4355

It was discovered that a significant memory leak could occur in openssl, related to the reinitialization of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd
server in a configuration where mod_ssl, mod_php5, and the php5-curl
extension are loaded.

The old stable distribution (etch) is not affected by this issue.

For the stable distribution (lenny), this problem has been fixed in
version 0.9.8g-15+lenny6.

The packages for the arm architecture are not included in this advisory.
They will be released as soon as they become available.

For the testing distribution (squeeze) and the unstable distribution
(sid), this problem will be fixed soon. The issue does not seem to be exploitable with the apache2 package contained in squeeze/sid.

We recommend that you upgrade your openssl packages. You also need to
restart your Apache httpd server to make sure it uses the updated
libraries.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

If you use apache2, you should restart it to make sure that it uses the
updated libraries:

/etc/init.d/apache2 restart

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz
Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.dsc
Size/MD5 checksum: 1973 3240bf459cdb8947e48f2dbefe57a280
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.diff.gz
Size/MD5 checksum: 59104 06bb67baea434b022552960e6cd0f316

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_alpha.udeb
Size/MD5 checksum: 722026 684030ca277ee132aedb6377b8d7f4e9
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_alpha.deb
Size/MD5 checksum: 1028856 7ee53ab22e9b6211e4a043dcebe8c91a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_alpha.deb
Size/MD5 checksum: 2813580 c5623a1bc1363cdda859a7fb7821f26e
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_alpha.deb
Size/MD5 checksum: 4369342 a5c5c8e0fabeab67421ddcd3143fc14e
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_alpha.deb
Size/MD5 checksum: 2582954 e78239c77c259265884f0fc3a916c1da

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_amd64.udeb
Size/MD5 checksum: 638372 b6aefcac5fe4c7b506fd328594a7ef1e
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_amd64.deb
Size/MD5 checksum: 975718 d993a3bf5c2b714f34241d4129c5cd91
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_amd64.deb
Size/MD5 checksum: 1043198 c4d0fa66bbf6bb9a85a5c926d6d32823
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_amd64.deb
Size/MD5 checksum: 2242218 4eabde020e8cbcab26342fa0ce1c6d94
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_amd64.deb
Size/MD5 checksum: 1627524 dc09c2e462fe448ed63fe884dbc03c9c

armel architecture (ARM EABI)

http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_armel.deb
Size/MD5 checksum: 1030998 d505cd8eb7543ca6726fdc91de4d823a
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_armel.deb
Size/MD5 checksum: 850364 c90307d3eb1fc6b9c0a88cfe3f3ce49e
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_armel.deb
Size/MD5 checksum: 1508384 7f7e664d2c2187df7314c16963bcbec4
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_armel.deb
Size/MD5 checksum: 2100080 23b91062f109f6a5b8038142b96aa6ac
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_armel.udeb
Size/MD5 checksum: 540714 a27289a8f7c165c9a1d3bc1e5e47d860

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_hppa.deb
Size/MD5 checksum: 968454 307320e4435ac4f745c4589edac24c44
http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_hppa.deb
Size/MD5 checksum: 1524864 a385c063f0c7bb11d03f0b10af0ae9e2
http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_hppa.deb
Size/MD5 checksum: 2269664 3b20cf2dc9939fe2e7b3f3d0a2ab8022
http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_hppa.deb
Size/MD5 checksum: 1046148 7093672ffc82c1f073e7bd9b362622d6
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_hppa.udeb
Size/MD5 checksum: 634496 0e4ca720c1f5f756160d5658b6876ace

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_i386.deb
Size/MD5 checksum: 2111886 07b55073b62f613cc0866f100d7da71a
http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_i386.udeb

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Krenn
  Sun Jun 7 10:02:33 2026
  from Sydney, Nsw via Telnet
- Spearb0y
  Sun Jun 7 07:41:05 2026
  from Massachusetts via SSH
- Krenn
  Sun Jun 7 03:07:26 2026
  from Sydney, Nsw via Telnet
- Krenn
  Sun Jun 7 01:30:12 2026
  from Sydney, Nsw via Telnet
- Centurion
  Sat Jun 6 23:27:30 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Sat Jun 6 15:42:53 2026
  from Sheboygan, Wi via Telnet
- Centurion
  Sat Jun 6 15:32:28 2026
  from Berea, Ohio via Telnet
- Krenn
  Sat Jun 6 11:38:56 2026
  from Sydney, Nsw via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	715
Nodes:	16 (0 / 16)
Uptime:	165:08:50
Calls:	12,096
Calls today:	4
Files:	15,001
Messages:	6,517,803

[SECURITY] [DSA-1970-1] New openssl packages fix denial of service (1/2

Who's Online

Recent Visitors

System Info