CVE-2009-4355

Description

Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_cleanup_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678.

Affected products

• OpenSSL / OpenSSL1.0.0 – 1.0.0
• OpenSSL / OpenSSL0.9.1c – 0.9.1c
• OpenSSL / OpenSSL0.9.2b – 0.9.2b
• OpenSSL / OpenSSL0.9.3 – 0.9.3
• OpenSSL / OpenSSL0.9.3a – 0.9.3a
• OpenSSL / OpenSSL0.9.4 – 0.9.4
• OpenSSL / OpenSSL0.9.5 – 0.9.5
• OpenSSL / OpenSSL0.9.5 – 0.9.5
• OpenSSL / OpenSSL0.9.5 – 0.9.5
• OpenSSL / OpenSSL0.9.5a – 0.9.5a
• OpenSSL / OpenSSL0.9.5a – 0.9.5a
• OpenSSL / OpenSSL0.9.5a – 0.9.5a
• OpenSSL / OpenSSL0.9.6 – 0.9.6
• OpenSSL / OpenSSL0.9.6 – 0.9.6
• OpenSSL / OpenSSL0.9.6 – 0.9.6
• OpenSSL / OpenSSL0.9.6 – 0.9.6
• OpenSSL / OpenSSL0.9.6a – 0.9.6a
• OpenSSL / OpenSSL0.9.6a – 0.9.6a
• OpenSSL / OpenSSL0.9.6a – 0.9.6a
• OpenSSL / OpenSSL0.9.6a – 0.9.6a
• OpenSSL / OpenSSL0.9.6b – 0.9.6b
• OpenSSL / OpenSSL0.9.6c – 0.9.6c
• OpenSSL / OpenSSL0.9.6d – 0.9.6d
• OpenSSL / OpenSSL0.9.6e – 0.9.6e
• OpenSSL / OpenSSL0.9.6f – 0.9.6f
• OpenSSL / OpenSSL0.9.6g – 0.9.6g
• OpenSSL / OpenSSL0.9.6h – 0.9.6h
• OpenSSL / OpenSSL0.9.6i – 0.9.6i
• OpenSSL / OpenSSL0.9.6j – 0.9.6j
• OpenSSL / OpenSSL0.9.6k – 0.9.6k
• OpenSSL / OpenSSL0.9.6l – 0.9.6l
• OpenSSL / OpenSSL0.9.6m – 0.9.6m
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7 – 0.9.7
• OpenSSL / OpenSSL0.9.7a – 0.9.7a
• OpenSSL / OpenSSL0.9.7b – 0.9.7b
• OpenSSL / OpenSSL0.9.7c – 0.9.7c
• OpenSSL / OpenSSL0.9.7d – 0.9.7d
• OpenSSL / OpenSSL0.9.7e – 0.9.7e
• OpenSSL / OpenSSL0.9.7f – 0.9.7f
• OpenSSL / OpenSSL0.9.7g – 0.9.7g
• OpenSSL / OpenSSL0.9.7h – 0.9.7h
• OpenSSL / OpenSSL0.9.7i – 0.9.7i
• OpenSSL / OpenSSL0.9.7j – 0.9.7j
• OpenSSL / OpenSSL0.9.7k – 0.9.7k
• OpenSSL / OpenSSL0.9.7l – 0.9.7l
• OpenSSL / OpenSSL0.9.7m – 0.9.7m
• OpenSSL / OpenSSL0.9.8 – 0.9.8
• OpenSSL / OpenSSL0.9.8a – 0.9.8a
• OpenSSL / OpenSSL0.9.8b – 0.9.8b
• OpenSSL / OpenSSL0.9.8c – 0.9.8c
• OpenSSL / OpenSSL0.9.8d – 0.9.8d
• OpenSSL / OpenSSL0.9.8e – 0.9.8e
• OpenSSL / OpenSSL0.9.8f – 0.9.8f
• OpenSSL / OpenSSL0.9.8g – 0.9.8g
• OpenSSL / OpenSSL0.9.8h – 0.9.8h
• OpenSSL / OpenSSL0.9.8i – 0.9.8i
• OpenSSL / OpenSSL0.9.8j – 0.9.8j
• OpenSSL / OpenSSL0.9.8k – 0.9.8k
• OpenSSL / OpenSSL1.0.0 – 1.0.0
• OpenSSL / OpenSSL1.0.0 – 1.0.0
• OpenSSL / OpenSSL0.9.8l
• OpenSSL / OpenSSL1.0.0 – 1.0.0
• RedHat / openssl0.9.6-15 – 0.9.6-15
• RedHat / openssl0.9.6b-3 – 0.9.6b-3
• RedHat / openssl0.9.7a-2 – 0.9.7a-2

References

• VENDOR_ADVISORYhttp://www.debian.org/security/2010/dsa-1970
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/0916
• MISChttp://cvs.openssl.org/chngview?cn=19167
• VENDOR_ADVISORYhttp://secunia.com/advisories/42724
• VENDOR_ADVISORYhttp://secunia.com/advisories/39461
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11260
• MISChttps://bugzilla.redhat.com/show_bug.cgi?id=546707
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html
• MISChttp://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.663049
• VENDOR_ADVISORYhttp://secunia.com/advisories/38761
• VENDOR_ADVISORYhttp://wiki.rpath.com/wiki/Advisories:rPSA-2010-0004
• VENDOR_ADVISORYhttp://secunia.com/advisories/38181
• VENDOR_ADVISORYhttp://secunia.com/advisories/38200
• MISChttps://issues.rpath.com/browse/RPL-3157
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/0839
• MISChttp://cvs.openssl.org/chngview?cn=19069
• MAILING_LISThttp://marc.info/?l=bugtraq&m=127128920008563&w=2
• MISChttp://cvs.openssl.org/chngview?cn=19068
• VENDOR_ADVISORYhttp://www.mandriva.com/security/advisories?name=MDVSA-2010:022
• MISChttps://rhn.redhat.com/errata/RHSA-2010-0095.html
• VENDOR_ADVISORYhttp://www.ubuntu.com/usn/USN-884-1
• MAILING_LISThttp://marc.info/?l=bugtraq&m=127128920008563&w=2
• MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2010-01/msg00009.html
• MAILING_LISThttp://www.openwall.com/lists/oss-security/2010/01/13/3
• MISChttps://kb.bluecoat.com/index?page=content&id=SA50
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6678
• VENDOR_ADVISORYhttp://secunia.com/advisories/42733
• VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/0124
• MAILING_LISThttp://lists.fedoraproject.org/pipermail/package-announce/2010-April/038587.html
• VENDOR_ADVISORYhttp://secunia.com/advisories/38175
• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12168