OpenSSL upstream reported the following security flaw: When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. OpenSSL 1.0.1 users should upgrade to 1.0.1j. OpenSSL 1.0.0 users should upgrade to 1.0.0o. OpenSSL 0.9.8 users should upgrade to 0.9.8zc. This issue was reported to OpenSSL on 8th October 2014. The fix was developed by Stephen Henson of the OpenSSL core team. External Reference: https://www.openssl.org/news/secadv_20141015.txt
Upstream patch: OpenSSL-1.0.1: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7fd4ce6a997be5f5c9e744ac527725c2850de203 OpenSSL-0.9.8: https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=2ed80d14d7159de7b52c7720128459e8c24a94d5
Statement: This issue does not affect the version of openssl shipped with Red Hat Enterprise Linux 5; Red Hat JBoss Enterprise Application Server 5 and 6; and Red Hat JBoss Enterprise Web Server 1 and 2 because openssl-0.9.8e does not include support for session tickets.
IssueDescription: A memory leak flaw was found in the way an OpenSSL handled failed session ticket integrity checks. A remote attacker could exhaust all available memory of an SSL/TLS or DTLS server by sending a large number of invalid session tickets to that server.
Fixed upstream in OpenSSL versions 0.9.8zc, 1.0.0o and 1.0.1j: https://www.openssl.org/news/secadv_20141015.txt
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2014:1652 https://rhn.redhat.com/errata/RHSA-2014-1652.html
This issue has been addressed in the following products: Red Hat Storage 2.1 Via RHSA-2014:1692 https://rhn.redhat.com/errata/RHSA-2014-1692.html
This issue has been addressed in the following products: RHEV-H and Agents for RHEL-6 Via RHSA-2015:0126 https://rhn.redhat.com/errata/RHSA-2015-0126.html