Dr. Stephen Henson (firstname.lastname@example.org), using a test suite provided by NISCC (<http://www.niscc.gov.uk/>), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended.
For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4.
For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1.
We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect.