Apache httpd web server's mod_ssl module linked against OpenSSL >= 0.9.8f can leak pre-connection memory when connecting client reports support for a compression algorithm in the initial handshake, causing httpd to run out of memory after certain amount of SSL connections. Upstream and Ubuntu bug reports: https://issues.apache.org/bugzilla/show_bug.cgi?id=44975 https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/224945 Upstream fix: http://svn.apache.org/viewvc?view=rev&revision=654119
According to Joe Orton's investigation, this issue was introduced by the following OpenSSL patch: http://cvs.openssl.org/chngview?cn=15897 which was first included in OpenSSL 0.9.8e. This issue does not affect versions of httpd / mod_ssl linked with earlier versions of OpenSSL library. This issue did not affect mod_ssl packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4 and 5, and Fedora 7 and 8. Issue did affect mod_ssl packages in Fedora 9 (both prefork and worker MPM).
httpd-2.2.9-1.fc9 has been submitted as an update for Fedora 9
httpd-2.2.9-1.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update httpd'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-6393
httpd-2.2.9-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:1075 https://rhn.redhat.com/errata/RHSA-2009-1075.html