-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-1970-1 security@debian.org http://www.debian.org/security/ Stefan Fritsch January 13, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : openssl Vulnerability : denial of service Problem type : remote Debian-specific: no CVE Id : CVE-2009-4355 It was discovered that a significant memory leak could occur in openssl, related to the reinitialization of zlib. This could result in a remotely exploitable denial of service vulnerability when using the Apache httpd server in a configuration where mod_ssl, mod_php5, and the php5-curl extension are loaded. The old stable distribution (etch) is not affected by this issue. For the stable distribution (lenny), this problem has been fixed in version 0.9.8g-15+lenny6. The packages for the arm architecture are not included in this advisory. They will be released as soon as they become available. For the testing distribution (squeeze) and the unstable distribution (sid), this problem will be fixed soon. The issue does not seem to be exploitable with the apache2 package contained in squeeze/sid. We recommend that you upgrade your openssl packages. You also need to restart your Apache httpd server to make sure it uses the updated libraries. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. If you use apache2, you should restart it to make sure that it uses the updated libraries: /etc/init.d/apache2 restart Debian GNU/Linux 5.0 alias lenny (stable) - ----------------------------------------- Stable updates are available for alpha, amd64, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc. Source archives: http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g.orig.tar.gz Size/MD5 checksum: 3354792 acf70a16359bf3658bdfb74bda1c4419 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.dsc Size/MD5 checksum: 1973 3240bf459cdb8947e48f2dbefe57a280 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6.diff.gz Size/MD5 checksum: 59104 06bb67baea434b022552960e6cd0f316 alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_alpha.udeb Size/MD5 checksum: 722026 684030ca277ee132aedb6377b8d7f4e9 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_alpha.deb Size/MD5 checksum: 1028856 7ee53ab22e9b6211e4a043dcebe8c91a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_alpha.deb Size/MD5 checksum: 2813580 c5623a1bc1363cdda859a7fb7821f26e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_alpha.deb Size/MD5 checksum: 4369342 a5c5c8e0fabeab67421ddcd3143fc14e http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_alpha.deb Size/MD5 checksum: 2582954 e78239c77c259265884f0fc3a916c1da amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_amd64.udeb Size/MD5 checksum: 638372 b6aefcac5fe4c7b506fd328594a7ef1e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_amd64.deb Size/MD5 checksum: 975718 d993a3bf5c2b714f34241d4129c5cd91 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_amd64.deb Size/MD5 checksum: 1043198 c4d0fa66bbf6bb9a85a5c926d6d32823 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_amd64.deb Size/MD5 checksum: 2242218 4eabde020e8cbcab26342fa0ce1c6d94 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_amd64.deb Size/MD5 checksum: 1627524 dc09c2e462fe448ed63fe884dbc03c9c armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_armel.deb Size/MD5 checksum: 1030998 d505cd8eb7543ca6726fdc91de4d823a http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_armel.deb Size/MD5 checksum: 850364 c90307d3eb1fc6b9c0a88cfe3f3ce49e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_armel.deb Size/MD5 checksum: 1508384 7f7e664d2c2187df7314c16963bcbec4 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_armel.deb Size/MD5 checksum: 2100080 23b91062f109f6a5b8038142b96aa6ac http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_armel.udeb Size/MD5 checksum: 540714 a27289a8f7c165c9a1d3bc1e5e47d860 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_hppa.deb Size/MD5 checksum: 968454 307320e4435ac4f745c4589edac24c44 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_hppa.deb Size/MD5 checksum: 1524864 a385c063f0c7bb11d03f0b10af0ae9e2 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_hppa.deb Size/MD5 checksum: 2269664 3b20cf2dc9939fe2e7b3f3d0a2ab8022 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_hppa.deb Size/MD5 checksum: 1046148 7093672ffc82c1f073e7bd9b362622d6 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_hppa.udeb Size/MD5 checksum: 634496 0e4ca720c1f5f756160d5658b6876ace i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_i386.deb Size/MD5 checksum: 2111886 07b55073b62f613cc0866f100d7da71a http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_i386.udeb Size/MD5 checksum: 591656 24ec3a4b4a96ddfdec5aa478eb31d0b0 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_i386.deb Size/MD5 checksum: 5389130 70fd24d33bd15049405591f9fc2bbcd1 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_i386.deb Size/MD5 checksum: 1036390 edeadbfad4cb91701d0d854a809f587d http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_i386.deb Size/MD5 checksum: 2975114 5e64360f2e6dd5ac7c01be5700352c3e ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_ia64.deb Size/MD5 checksum: 1091724 02f18d38bd0d81ad842c0a98e717e0d6 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_ia64.deb Size/MD5 checksum: 1282602 288f179800dc55c7a4329b11a6d8606d http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_ia64.udeb Size/MD5 checksum: 865448 1897cc56f80ba69a6436e35cab884426 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_ia64.deb Size/MD5 checksum: 2659298 b0618ea500638424b18abc94e4116b8e http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_ia64.deb Size/MD5 checksum: 1466720 02f43deb94f7ca8c7fc14726e0c546e2 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mips.deb Size/MD5 checksum: 2305674 af7113bfec7e8b0e68df37ed5f738f64 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mips.deb Size/MD5 checksum: 1025046 4e292bdc8f72ed8501e5023feb8b02ca http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mips.udeb Size/MD5 checksum: 585108 54d6ca56986ed39dabd7f4abe9d39fea http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mips.deb Size/MD5 checksum: 1624960 7917a77cac88a712d07667b3a52f512c http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mips.deb Size/MD5 checksum: 899692 d91d59db784860acb0d1754e1e3ae6dc mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_mipsel.udeb Size/MD5 checksum: 572340 f20f86629cf0413e991ada8d8709ab6a http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_mipsel.deb Size/MD5 checksum: 2295270 291cd9b3b9716927c199e36ac99cfcdd http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_mipsel.deb Size/MD5 checksum: 1588064 7a33af46eb5c6fdf29ecd4ccc72fd57a http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_mipsel.deb Size/MD5 checksum: 1012028 2353015991c7ca5942461695029eba00 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_mipsel.deb Size/MD5 checksum: 885438 835d6a08a8d0d3dfd12969df207749b1 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_powerpc.deb Size/MD5 checksum: 1035248 957678dd206e9da5eeb00812110ac4cc http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_powerpc.deb Size/MD5 checksum: 1643378 515ead9be6696f9f7cee90acad723e8a http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_powerpc.udeb Size/MD5 checksum: 656142 1c55ca2a303a068dc58b48e41106a372 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_powerpc.deb Size/MD5 checksum: 2244176 14b5fae6837849223de16552f48afd96 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_powerpc.deb Size/MD5 checksum: 1000474 d5b0c8be8037fa8eb31e128195d73777 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_s390.deb Size/MD5 checksum: 1602212 05dc99a65418f046330904a95c6e521d http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_s390.udeb Size/MD5 checksum: 692806 efbc1a57f8d002259252d3279bee81d0 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_s390.deb Size/MD5 checksum: 1051028 5b3fb31b94c4a6bf6a8d2612a062e665 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_s390.deb Size/MD5 checksum: 1024346 a2189af0b6688ed65478cb88b818754b http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_s390.deb Size/MD5 checksum: 2231392 1066a2bce93b8eddc9a030bdf0529ced sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8_0.9.8g-15+lenny6_sparc.deb Size/MD5 checksum: 2289642 ce5da789600c428462beb658b427d781 http://security.debian.org/pool/updates/main/o/openssl/openssl_0.9.8g-15+lenny6_sparc.deb Size/MD5 checksum: 1044934 f75ef304db194c15ea2de34f841b5825 http://security.debian.org/pool/updates/main/o/openssl/libssl-dev_0.9.8g-15+lenny6_sparc.deb Size/MD5 checksum: 2141914 cab94489e491e76c7718dd8f88f89049 http://security.debian.org/pool/updates/main/o/openssl/libcrypto0.9.8-udeb_0.9.8g-15+lenny6_sparc.udeb Size/MD5 checksum: 580378 2bfe10092e4cb83d8f4602a3f48ddb75 http://security.debian.org/pool/updates/main/o/openssl/libssl0.9.8-dbg_0.9.8g-15+lenny6_sparc.deb Size/MD5 checksum: 3873244 ad31823167dbebe72337f242a2f1cb06 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFLThSzbxelr8HyTqQRAm+vAJ0frlXwfNDQowBWjhIIrV7xAvWSSwCgwQLq okEtFWyu9HXkSwJF4kW2+kc= =NA8j -----END PGP SIGNATURE-----