rPath Security Advisory: 2010-0004-1
Published: 2010-01-14
Products:
rPath Appliance Platform Linux Service 2
rPath Linux 2
Rating: Severe
Exposure Level Classification:
Remote User Deterministic Denial of Service
Updated Versions:
openssl=conary.rpath.com@rpl:2/0.9.8g-7.3-1
openssl-scripts=conary.rpath.com@rpl:2/0.9.8g-7.3-1
rPath Issue Tracking System:
https://issues.rpath.com/browse/RPL-3157
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4355
Description:
In previous versions of openssl, calling CRYPTO_cleanup_all_ex_data
did not properly clean up data structures used in openssl's zlib
compression methods. As a result, applications which called
CRYPTO_cleanup_all_ex_data and subsequently processed SSLv3
requests would leak significant amounts of memory per request.
In particular, this is known to affect systems running Apache httpd
with mod_ssl and the php module loaded. If httpd receives SIGUSR1
(the "graceful" command), subsequent SSLv3 requests will cause
increased memory consumption, and a possible denial-of-service.
On unpatched systems, note that the impact of this vulnerability
can be greatly reduced by tuning the MaxRequestsPerChild
setting in the httpd configuration, as the memory leak does not
affect the parent process.
http://wiki.rpath.com/Advisories:rPSA-2010-0004
Copyright 2010 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
