Todd Rinaldo brought to our attention (bug #567711) a flaw in OpenSSL that can cause TLS/SSL server using OpenSSL to crash when clients proposes certain cipher suites in its client hello.
This crash is caused by a missing kerberos krb5_sname_to_principal() function return value check in OpenSSL's kssl_keytab_is_available() (ssl/kssl.c). This function can return an error under certain circumstances (the issue was reproduced with dovecot and stunnel configured to chroot their process to an empty directory, causing getaddrinfo() call to fail). If kssl_keytab_is_available() fails, it may leave princ (kerberos service principal) unmodified, causing krb5_kt_get_entry() to be called with NULL principal. With certain krb5 versions, this leads to a NULL pointer dereference crash.
openssl-0.9.8m-1.fc11 has been submitted as an update for Fedora 11.
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2010:0162 https://rhn.redhat.com/errata/RHSA-2010-0162.html
openssl-0.9.8n-1.fc11 has been submitted as an update for Fedora 11.
openssl-1.0.0-1.fc13 has been submitted as an update for Fedora 13.
openssl-1.0.0-1.fc12 has been submitted as an update for Fedora 12.
krb5_sname_to_principal() return value check is missing in OpenSSL versions in Red Hat Enterprise Linux 3 and 4 too. However, as noted in comment #0, NULL principal does not cause a crash in krb5_kt_get_entry() in all MIT krb5 versions. In RHEL-3 and RHEL-4 krb5 library version, krb5_kt_get_entry() returns error without crashing.
openssl-1.0.0-1.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
openssl-0.9.8n-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
openssl-1.0.0-4.fc12 has been submitted as an update for Fedora 12.
openssl-1.0.0-4.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
(In reply to Tomas Hoger from comment #2)
> Upstream fix:
This is no longer working, the working link is: