CVE-2009-4355

Name of the Vulnerable Software and Affected Versions OpenSSL versions 0.9.8l and earlier OpenSSL versions 1.0.0 Beta through Beta 4 OpenSSL versions prior to 1.0.0e

Description The issue is related to multiple vulnerabilities in the OpenSSL package, which can lead to a breach of confidentiality, integrity, and availability of protected information. Exploitation of these vulnerabilities can be done remotely. A memory leak in the zlib stateful finish function in crypto/comp/c zlib.c allows remote attackers to cause a denial of service via vectors that trigger incorrect calls to the CRYPTO cleanup all ex data or CRYPTO free all ex data functions. This can be demonstrated by the use of SSLv3 and PHP with the Apache HTTP Server.

Recommendations For OpenSSL versions 0.9.8l and earlier, update to a version later than 0.9.8l to resolve the issue. For OpenSSL versions 1.0.0 Beta through Beta 4, update to a version later than Beta 4 to resolve the issue. For OpenSSL versions prior to 1.0.0e, update to version 1.0.0e or later to resolve the issue. As a temporary workaround, consider restricting access to the zlib stateful finish function in crypto/comp/c zlib.c until a patch is available.