openssl -- denial of service

ID DSA-393
Type debian
Reporter Debian
Modified 2003-10-01T00:00:00


Dr. Stephen Henson (, using a test suite provided by NISCC (<>), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended.

For the current stable distribution (woody) these problems have been fixed in version 0.9.6c-2.woody.4.

For the unstable distribution (sid) these problems have been fixed in version 0.9.7c-1.

We recommend that you update your openssl package. Note that you will need to restart services which use the libssl library for this update to take effect.