In 2006, Tavis Ormandy and Will Drewry of the Google Security Team discovered a buffer overflow in the SSL_get_shared_ciphers() utility function. An attacker could send a list of ciphers to an application that used this function and overrun a buffer (CVE-2006-3738). Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. Moritz Jodeit found that a single byte (nul) overflow was still possible: http://www.securityfocus.com/archive/1/archive/1/480855/100/0/threaded Things that use SSL_get_shared_ciphers(): openssl: s_server usage ckermit: uses function mysql-4.1.10a: in a debugging #ifdef exim: only if debugging
Note that this issue is only of moderate security severity. Few applications make use of this vulnerable function and generally it is used only when applications are compiled for debugging. In addition this single-byte overflow is not likely to be exploitable which is why the OpenSSL team did not do an immediate fix for this issue. We fixed this issue in Red Hat Enterprise Linux 5 in early Oct 2007 because we had to issue an update to fix a higher severity issue that only affected the RHEL5 OpenSSL. An update to fix this issue is in progress for RHEL2.1 and RHEL3 and will be released when completed (depending on it passing Quality Engineering and the queue of higher severity issues) An update to fix this issue for RHEL4 will be issued after RHEL4.6 is released.
The update to correct this issue for RHEL2.1,3,5 have been released. An update to correct this issue for RHEL4 will be made available after the release of update 6 (4.6)