![](https://seccdn.libravatar.org/avatar/e2145bc5cf53dda95c308a3c75e8fef3.jpg?s=120&d=mm&r=g)
Hello community, here is the log from the commit of package apache2 checked in at Mon May 26 19:05:43 CEST 2008. -------- --- apache2/apache2.changes 2008-04-18 14:20:24.000000000 +0200 +++ /mounts/work_src_done/STABLE/apache2/apache2.changes 2008-05-26 16:58:43.000000000 +0200 @@ -1,0 +2,10 @@ +Mon May 26 16:55:37 CEST 2008 - skh@suse.de + +- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): + Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a + per-connection memory leak which occurs if the client indicates + support for a compression algorithm in the initial handshake, and + mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096] + httpd-2.2.x-CVE-2008-1678.patch + +------------------------------------------------------------------- New: ---- httpd-2.2.x-CVE-2008-1678.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ --- /var/tmp/diff_new_pack.f23764/_old 2008-05-26 19:04:22.000000000 +0200 +++ /var/tmp/diff_new_pack.f23764/_new 2008-05-26 19:04:22.000000000 +0200 @@ -56,7 +56,7 @@ Group: Productivity/Networking/Web/Servers %define realver 2.2.8 Version: 2.2.8 -Release: 13 +Release: 24 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: http://httpd.apache.org/dev/dist/httpd-%{realver}.tar.bz2 Source10: SUSE-NOTICE @@ -109,6 +109,7 @@ Patch65: httpd-2.0.49-log_server_status.dif Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif +Patch68: httpd-2.2.x-CVE-2008-1678.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.0 @@ -330,6 +331,7 @@ %patch65 -p1 %patch66 -p1 %patch67 -p1 +%patch68 -p3 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE # @@ -1031,6 +1033,13 @@ fi %changelog +* Mon May 26 2008 skh@suse.de +- CVE-2008-1678: modules/ssl/mod_ssl.c (ssl_cleanup_pre_config): + Remove the call to CRYPTO_cleanup_all_ex_data here, fixing a + per-connection memory leak which occurs if the client indicates + support for a compression algorithm in the initial handshake, and + mod_ssl is linked against OpenSSL >= 0.9.8f. [bnc#392096] + httpd-2.2.x-CVE-2008-1678.patch * Fri Apr 18 2008 poeml@suse.de - sync up with changes from Build Service: - new implementation of sysconf_addword, using sed instead of ed. ++++++ httpd-2.2.x-CVE-2008-1678.patch ++++++ --- httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:16:38 654118 +++ httpd/httpd/trunk/modules/ssl/mod_ssl.c 2008/05/07 14:17:31 654119 @@ -218,17 +218,18 @@ #if HAVE_ENGINE_LOAD_BUILTIN_ENGINES ENGINE_cleanup(); #endif -#ifdef HAVE_OPENSSL -#if OPENSSL_VERSION_NUMBER >= 0x00907001 - CRYPTO_cleanup_all_ex_data(); -#endif -#endif ERR_remove_state(0); /* Don't call ERR_free_strings here; ERR_load_*_strings only * actually load the error strings once per process due to static * variable abuse in OpenSSL. */ + /* Also don't call CRYPTO_cleanup_all_ex_data here; any registered + * ex_data indices may have been cached in static variables in + * OpenSSL; removing them may cause havoc. Notably, with OpenSSL + * versions >= 0.9.8f, COMP_CTX cleanups would not be run, which + * could result in a per-connection memory leak (!). */ + /* * TODO: determine somewhere we can safely shove out diagnostics * (when enabled) at this late stage in the game: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org
participants (1)
-
root@Hilbert.suse.de