Bug 447268 (CVE-2008-1678)
Summary: | CVE-2008-1678 httpd: mod_ssl per-connection memory leak for connections with zlib compression | |||
---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | |
Status: | CLOSED ERRATA | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | unspecified | CC: | jorton, kreilly, osoukup, pasteur | |
Target Milestone: | --- | Keywords: | Security | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Bug Fix | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 486941 (view as bug list) | Environment: | ||
Last Closed: | 2010-02-20 17:44:24 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 447311, 447312, 499284, 499285 | |||
Bug Blocks: |
Description
Tomas Hoger
2008-05-19 08:06:37 UTC
According to Joe Orton's investigation, this issue was introduced by the following OpenSSL patch: http://cvs.openssl.org/chngview?cn=15897 which was first included in OpenSSL 0.9.8e. This issue does not affect versions of httpd / mod_ssl linked with earlier versions of OpenSSL library. This issue did not affect mod_ssl packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 7 and 8. Issue did affect mod_ssl packages in Fedora 9 (both prefork and worker MPM). httpd-2.2.9-1.fc9 has been submitted as an update for Fedora 9 httpd-2.2.9-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6393 httpd-2.2.9-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1075 https://rhn.redhat.com/errata/RHSA-2009-1075.html |